SMB over QUIC Configuration in Windows Server 2022 and later

Leave a Comment | Windows Server | By
What is SMB over QUIC?

SMB over QUIC allows secure, VPN-less access to file shares over the internet using UDP port 443 (QUIC protocol) instead of traditional TCP 445. It’s encrypted using TLS 1.3 and is ideal for remote workers or hybrid environments.

SMB over QUIC, quic, smb

Prerequisites :

  1. Windows Server 2022 Datacenter : Azure Edition (Standard edition does not support QUIC)
  2. Any edition of Windows Server 2025 or later
  3. The SMB server and client must be joined to an Active Directory domain, or the client must have a local user account on the SMB server. The SMB server must have access to at least one domain controller for authentication, but no domain controller requires any internet access. We recommended using SMB over QUIC with Active Directory domains however it isn’t required. You can also use SMB over QUIC on a workgroup-joined server with local user credentials and NTLM.
  4. Your server must be accessible to clients on its public interface by adding a firewall allow rule to allow SMB over QUIC. By default, SMB over QUIC uses UDP/443 inbound. Do not allow TCP/445 inbound to the file server.
  5. The file server must have access to at least one domain controller for authentication.
  6. DNS record for the server’s FQDN.
  7. A valid TLS certificate trusted by clients (issued by internal CA or public CA).
  8. Administrative privileges or equivalent for the SMB server you’re configuring.
How to Deploy SMB over QUIC :
 
Step 1: Install the SSL & root Certificates on the server:
 
SMB over QUIC requires TLS 1.3 and will not function unless the client fully trusts the server’s certificate.
QUIC clients computers must trust the full certificate chain.
 
Install the Root certificate if not installed . 
 
Install certificate with .p7b (PKCS #7) file extension which you received from a CA and contains public cert + intermediate chain.
 
A .p7b includes intermediate certificates that the client may need to validate the server’s identity
 
It is not used directly for QUIC — but it’s an important step in setting up a valid and trusted certificate chain on the server.
 
Follow the screenshot to install certificates:
 

Double click on both the files and install them one by one.

 
  • Root Certificate:

 

 

 

  • PKCS #7 Certificate (.p7b)
 
Install all three certificates one by one (original server certificate + chain) – double click on each certificate and install. While installing, select “Automatically select the certificate store based on the type of certificate” in import wizard .
Verify the installed valid certificates chain.
  
Open Run – type “certlm.msc” – press enter , go to –  Certificates- Local Computer – Personal- Certificates. Double click on server original certificate (server fqdn- Servername.vlookuphub.com) – go to path.

Check certificates chain , it should not have “cross mark” in certificates chain. All should be showing as valid and ok.

Step 2: Install the “File Server Role”:

Go to server manager and install roles as per following screenshot 

Reboot the server if require to finish the installation.

Step 3: Configure SMB over QUIC :
 
List the certificates in the client’s certificate store by running the following PowerShell command
 
Get-ChildItem -Path Cert:LocalMachineMy
 
To gather your client certificate hash using PowerShell
 
Get-ChildItem -Path Cert:LocalMachineMy ! fl *
 
Run the following command to store the certificate in a variable. Replace <subject name> with the subject name of the certificate you want to use.
 
$clientCert = Get-ChildItem -Path Cert:LocalMachineMy
 
Verify the certificate matches the one you want to use by running the following command
 
$serverCert
 
Enable and map the client certificate to the SMB client.
 
To enable SMB over QUIC using the certificate thumbprint of the matched certificate, run the following command. Make sure to replace <server FQDN> with the fully qualified domain name of the SMB over QUIC server.
 
New-SmbServerCertificateMapping -Name <server FQDN> -ThumbPrint $serverCert.Thumbprint -Storename My
                                                      All the above command will be result as per following screenshot.
SMB over QUIC Configuration

 

Step 4: Test mapping connectivity.
 
In server non OS drive, create a temporary share folder with permission to test.   
 
Test to map network drive using Transport : QUIC.
 
Using elevated command prompt
NET USE \<server FQDN><sharefolder name> /TRANSPORT:QUIC
 
Using elevated PowerShell
 
New-SmbMapping -RemotePath \<server FQDN><sharefolder name> -TransportType QUIC
 
Example: New-SmbMapping -LocalPath 'Z:' -RemotePath'\vlookuphubcomp.contoso.comsales' -TransportType QUIC
 
Execute this above command in elevated PowerShell.
How to configure SMB over QUIC
You will have output as per given above screenshot, then it is successfully mapped. So SMB over QUIC is working fine.

Related Posts

0 thoughts on “SMB over QUIC Configuration in Windows Server 2022 and later”

Leave a Comment

Your email address will not be published. Required fields are marked *

PHP Code Snippets Powered By : XYZScripts.com
Scroll to Top