SMB over QUIC is now in public preview!

Published Jun 24 2021 12:03 PM 6,737 Views
Microsoft

Heya folks, Ned here again. Today I announced the new SMB over QUIC feature for Windows Server 2022 Datacenter: Azure Edition and Windows Insider at the Windows Server 2022, Best on Azure webinar. If you want to cut right to the chase, head to SMB over QUIC (PREVIEW) on Docs.

 

SMB over QUIC (Preview) offers an "SMB VPN" for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of TCP/445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the network. Inside that tunnel, SMB behaves totally normally with all its usual capabilities.

 

Here's a demo of turning on the SMB over QUIC feature & using it. 

 

 

To learn more about SMB over QUIC, see demos, and try it out for yourself, head over SMB over QUIC (PREVIEW) on Docs

 

- Ned "quick!" Pyle

26 Comments

Awesome @Ned Pyle :cool: Thanks for Sharing with the Community!

Contributor

Thanks for sharing @Ned Pyle. Is there a recommended intrusion prevention system that can be used here?

Microsoft

@mperrotta I cannot make specific 3rd party recommendations but I am pretty sure Azure Sentinel has these options and lots of folks who want to sell you things :D 

Senior Member

Will it be long for SMB over Quic to be supported in Azure Files?

Microsoft

@evon3 if I had an answer for how long, I promise I'd tell you. :) All I can say is that it's definitely planned by the Azure Files team, I just don't have a date yet.

New Contributor

Since it goes trough 443, for security reasons would one want/need/be able to use a reverse proxy to get this to work?

 

 

Microsoft

Hi @Dutch2005nl. Yes, as long as it will forward the UDP/443 (and TCP 443 Kerberos KDC Proxy) traffic to the file server, anything - reverse proxy, NAT, etc - should work.

Occasional Visitor

Hi @Ned Pyle is this avaliable in the Server 2022 preview iso or is it only Azure for now? 

Microsoft

@EvoII Azure for now but we'll have an ISO out for upgrades and making VMs on Azure Stack HCI later this year.

Thanks for this; indeed it can be a game changer for a broad range of organizations out there. Can't wait to try it!

Microsoft

@Konstantinos Xanthopoulos  Glad to hear it!

Occasional Visitor

Hi @Ned Pyle,


Thanks for the info. A couple of questions:

  • Will this ever come to the on-premises version of Windows Server 2022, or will this stay as an exclusively for Azure/Azure Stack HCI?
  • Also, will the Windows Server 2022 be able to function as both a client and a server, or is the client functionality exclusive to Windows 10?
  • I'm also wondering if you have done any speed comparison with regular SMB over VPN, especially over higher latency links?
    Should this work better over higher latency links, where SMB traditionally is very slow?

Thanks,

 

Koenraad

Microsoft

@kowillems Howdy.

 

  • Features that go into the Azure Edition may not remain exclusive over their full lifetime (it's pretty likely we'd try to bring Hotpatch to every area of Windows eventually, for instance). But for the foreseeable future, SMB over QUIC will remain an Azure Edition and Azure-branded feature. It will be available in VMs both in Azure IaaS and on Azure Stack HCI 21H2 guests for those who want to run their workloads in their own datacenters or branches.
  • WS2022 non-Azure Edition can operate as a client just like Win11, for scenarios like RDS.
  • I've not got good comparisons there yet but we plan to. The MS QUIC performance story is evolving very rapidly right now, there is a lot of room for improvement and we've see big gains from that team as we were developing this; that will continue, I know they have a lot of plans in this space.

 

 

Occasional Visitor

Thanks for the responses @Ned Pyle, very helpful!

Any idea when Windows Server 2022 non-Azure edition wil be released (GA/RTM)?

 

Thanks,

 

Koenraad

Microsoft

@kowillems I am not allowed to share that yet, sorry :(

Thank you, Ned! Great feature, excellent demo and...it works like a charm :)

Microsoft

@Massimo_Sebastiani woohooo! 

Visitor

Ned,

Is the eval ISO that includes the SMB over QUIC feature available as yet? If not do you know when?

Microsoft

@DAASMD 

Howdy. We will have ISO and VHDX media for Windows Server 2022 Datacenter: Azure Edition when the Azure Stack HCI 21H2 platform is ready for this scenarios public preview. I don't have a date for this yet to share, but it's not too terribly far off, as the 21H2 moniker shows.

 

Regular Visitor

Isn't this bypassing the old-fashioned firewall security as we know it?

Essentially, you can access any local port through the UDP port? Or, probably, at least the local services should opt-in to using QUIC to receive that kind of access.

I also have doubts about it, because IDS/IPS/firewall systems will have to adapt to it.

Which means new code, new bugs, new security vulnerabilities, etc.

At least, does the Windows firewall somehow handle those connections, in order to allow you to block them (e.g., can you block only the SMB connections on the UDP port and let the HTTP/3 ones pass?).

 

Is this offering anything to security?

E.g., since the SMB port is not open anymore, can someone still figure out that there is SMB access on that server, or it is well hidden and hard to figure out?

My guess is that it is easy to figure out, since this is meant to work for public access scenarios, like HTTP/3.

Microsoft

@Kostas777 No you cannot access any port through UDP. You access the port you registered your server on (QUIC is by default 443, but it can be changed). You can't just use any application on QUIC, your protocol must be adapted it. Right now that's SMB, HTTP, and DNS (this will expand - the point of QUIC is, over decades, to replace TCP as the first class protocol of untrusted network computing). 

 

This is entirely opt-in, none of this is on by default, there is no way for anyone outside to use SMB over QUIC unless you configure it on purpose on a server with an edge public IP route. No one can successfully obfuscate ports, port scanners will just find them if not on defaults. 

Visitor

Ned,

Looking at the features available based on edition, please confirm if SMB via QUIC is only available in  Windows Server 2022 Azure Edition.

Microsoft

@DAASMD yes, as an SMB server. The SMB over QUIC client is in all editions of Windows Server 2022 and Windows 11

Occasional Contributor

This is neat, and solves the no-445 problem, but I don't get how something this new, shiny and user-centric doesn't support Azure AD and its MFA.

 

I see that we can enroll all users in on-prem PKI and require windows hello, but deploying such a footprint opposes the reason many customers are looking at cloud in the first place. Even the presumably-upcoming Azure Files version of this isn't hinting at MFA support.

 

I'd love to be all wrong here. Let us know! 

Microsoft

@Mike Crowley The issue is SMB team doesn't make authentication nor MFA, we use authentication and MFA. Windows needs to support those things for protocols and non-web apps to use them, and it doesn't. We're working to get that prioritized with the owners, though, it's not a dead end. 

 

You can use any cert authority you want, including cloud based systems to distribute the certs, I only document an MS PKI because that's what I can use and what so many orgs already have deployed. I've got some blog posts coming about using alternatives

Occasional Contributor

Completely understood. I appreciate you @Ned Pyle :) 

 

I'm just sharing real-world feedback and am eager to help customers adopt this this feature when all of the dependencies are ready.

%3CLINGO-SUB%20id%3D%22lingo-sub-2482964%22%20slang%3D%22en-US%22%3ESMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2482964%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHeya%20folks%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40nerdpyle%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ENed%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bhere%20again.%20Today%20I%20announced%20the%20new%20SMB%20over%20QUIC%20feature%20for%20Windows%20Server%202022%20and%20Windows%20Insider%20at%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Finfo.microsoft.com%2Fww-landing-windows-server-2022-best-on-azure.html%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Server%202022%2C%20Best%20on%20Azure%20webinar%3C%2FA%3E.%20If%20you%20want%20to%20cut%20right%20to%20the%20chase%2C%20head%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsmboverquic%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESMB%20over%20QUIC%20(PREVIEW)%20on%20Docs%3C%2FA%3E%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESMB%20over%20QUIC%20(Preview)%20offers%20an%20%22SMB%20VPN%22%20for%20telecommuters%2C%20mobile%20device%20users%2C%20and%20high%20security%20organizations.%20The%20server%20certificate%20creates%20a%20TLS%201.3-encrypted%20tunnel%20over%20the%20internet-friendly%20UDP%20port%20443%20instead%20of%20TCP%2F445.%20All%20SMB%20traffic%2C%20including%20authentication%20and%20authorization%20within%20the%20tunnel%20is%20never%20exposed%20to%20the%20network.%20Inside%20that%20tunnel%2C%20SMB%20behaves%20totally%20normally%20with%20all%20its%20usual%20capabilities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20a%20demo%20of%20turning%20on%20the%20SMB%20over%20QUIC%20feature%20%26amp%3B%20using%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3C%2FP%3E%3CDIV%20class%3D%22video-embed-center%20video-embed%22%3E%3CIFRAME%20class%3D%22embedly-embed%22%20src%3D%22https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Fsrc%3Dhttps%253A%252F%252Fwww.youtube.com%252Fembed%252FOslBSB8IkUw%253Ffeature%253Doembed%26amp%3Bdisplay_name%3DYouTube%26amp%3Burl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253DOslBSB8IkUw%26amp%3Bimage%3Dhttps%253A%252F%252Fi.ytimg.com%252Fvi%252FOslBSB8IkUw%252Fhqdefault.jpg%26amp%3Bkey%3Dfad07bfa4bd747d3bdea27e17b533c0e%26amp%3Btype%3Dtext%252Fhtml%26amp%3Bschema%3Dyoutube%22%20width%3D%22600%22%20height%3D%22337%22%20scrolling%3D%22no%22%20title%3D%22YouTube%20embed%22%20frameborder%3D%220%22%20allow%3D%22autoplay%3B%20fullscreen%22%20allowfullscreen%3D%22true%22%3E%3C%2FIFRAME%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20learn%20more%20about%20SMB%20over%20QUIC%2C%20see%20demos%2C%20and%20try%20it%20out%20for%20yourself%2C%20head%20over%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsmboverquic%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESMB%20over%20QUIC%20(PREVIEW)%20on%20Docs%3C%2FA%3E!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20Ned%20%22quick!%22%20Pyle%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2482964%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20now%20evaluate%20SMB%20over%20QUIC%20in%20Windows%20Server%202022%20and%20Windows%20Insider!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2484608%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2484608%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%20Thanks%20for%20Sharing%20with%20the%20Community!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2485895%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2485895%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E.%20Is%20there%20a%20recommended%20intrusion%20prevention%20system%20that%20can%20be%20used%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2486410%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2486410%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572555%22%20target%3D%22_blank%22%3E%40mperrotta%3C%2FA%3E%26nbsp%3BI%20cannot%20make%20specific%203rd%20party%20recommendations%20but%20I%20am%20pretty%20sure%20Azure%20Sentinel%20has%20these%20options%20and%20lots%20of%20folks%20who%20want%20to%20sell%20you%20things%20%3AD%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2487195%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2487195%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285641%22%20target%3D%22_blank%22%3E%40evon3%3C%2FA%3E%26nbsp%3Bif%20I%20had%20an%20answer%20for%20how%20long%2C%20I%20promise%20I'd%20tell%20you.%20%3A)%3C%2Fimg%3E%20All%20I%20can%20say%20is%20that%20it's%20definitely%20planned%20by%20the%20Azure%20Files%20team%2C%20I%20just%20don't%20have%20a%20date%20yet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2493912%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2493912%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384963%22%20target%3D%22_blank%22%3E%40Dutch2005nl%3C%2FA%3E.%20Yes%2C%20as%20long%20as%20it%20will%20forward%20the%20UDP%2F443%20(and%20TCP%20443%20Kerberos%20KDC%20Proxy)%20traffic%20to%20the%20file%20server%2C%20anything%20-%20reverse%20proxy%2C%20NAT%2C%20etc%20-%20should%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2526247%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2526247%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%26nbsp%3Bis%20this%20avaliable%20in%20the%20Server%202022%20preview%20iso%20or%20is%20it%20only%20Azure%20for%20now%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2527316%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2527316%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%3B%20indeed%20it%20can%20be%20a%20game%20changer%20for%20a%20broad%20range%20of%20organizations%20out%20there.%20Can't%20wait%20to%20try%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2541886%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2541886%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20for%20the%20info.%20A%20couple%20of%20questions%3A%3C%2FP%3E%3CUL%3E%3CLI%3EWill%20this%20ever%20come%20to%20the%20on-premises%20version%20of%20Windows%20Server%202022%2C%20or%20will%20this%20stay%20as%20an%20exclusively%20for%20Azure%2FAzure%20Stack%20HCI%3F%3C%2FLI%3E%3CLI%3EAlso%2C%20will%20the%20Windows%20Server%202022%20be%20able%20to%20function%20as%20both%20a%20client%20and%20a%20server%2C%20or%20is%20the%20client%20functionality%20exclusive%20to%20Windows%2010%3F%3C%2FLI%3E%3CLI%3E%3CP%3EI'm%20also%20wondering%20if%20you%20have%20done%20any%20speed%20comparison%20with%20regular%20SMB%20over%20VPN%2C%20especially%20over%20higher%20latency%20links%3F%3CBR%20%2F%3EShould%20this%20work%20better%20over%20higher%20latency%20links%2C%20where%20SMB%20traditionally%20is%20very%20slow%3F%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKoenraad%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2544337%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2544337%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20responses%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%2C%20very%20helpful!%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20idea%20when%20Windows%20Server%202022%20non-Azure%20edition%20wil%20be%20released%20(GA%2FRTM)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKoenraad%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2544689%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2544689%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1102107%22%20target%3D%22_blank%22%3E%40kowillems%3C%2FA%3E%26nbsp%3BI%20am%20not%20allowed%20to%20share%20that%20yet%2C%20sorry%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2555086%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20QUIC%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2555086%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%20Ned!%20Great%20feature%2C%20excellent%20demo%20and...it%20works%20like%20a%20charm%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jul 19 2021 01:29 PM
Updated by:
www.000webhost.com