Smb over quic

Smb over quic DEFAULT

SMB over QUIC (PREVIEW)

Applies to: Windows Server 2022 Datacenter: Azure Edition Preview, Windows 11 Insider Preview

SMB over QUIC (Preview) introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:

  • All packets are always encrypted and handshake is authenticated with TLS 1.3
  • Parallel streams of reliable and unreliable application data
  • Exchanges application data in the first round trip (0-RTT)
  • Improved congestion control and loss recovery
  • Survives a change in the clients IP address or port

SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.

A file server administrator must opt in to enabling SMB over QUIC. It isn't on by default and a client can't force a file server to enable SMB over QUIC. Windows SMB clients still use TCP by default and will only attempt SMB over QUIC if the TCP attempt first fails or if intentionally requiring QUIC using or .

Note

SMB over QUIC is in preview and not supported for production workloads, but you can get support from Microsoft while evaluating it.

Prerequisites

To use SMB over QUIC, you need the following things:

  • A file server running Windows Server 2022 Datacenter: Azure Edition Preview (Microsoft Server Operating Systems Preview)
  • A Windows 11 Insider Preview (Windows Insider Channels)
  • Windows Admin Center (Homepage)
  • A Public Key Infrastructure to issue certificates like Active Directory Certificate Server or access to a trusted third party certificate issuer like Verisign, Digicert, Let's Encrypt, and so on.

Deploy SMB over QUIC

Step 1: Install a server certificate

  1. Create a Certificate Authority-issued certificate with the following properties:

    • Key usage: digital signature
    • Purpose: Server Authentication (EKU 1.3.6.1.5.5.7.3.1)
    • Signature algorithm: SHA256RSA (or greater)
    • Signature hash: SHA256 (or greater)
    • Public key algorithm: ECDCA_P256 (or greater. Can also use RSA with at least 2048 length)
    • Subject Alternative Name (SAN): (A DNS name entry for each fully qualified DNS name used to reach the SMB server)
    • Subject: (CN= anything, but must exist)
    • Private key included: yes

    certificate settings showing Signature algorithm with a value of sha256RSA, signature hash algorithm value of sha256, and Subject value of ws2022-quicCertificate settings under the Detail tab showing Public key value of ECC (256 bits), public key parameters ECDSA-P256 and Application policies 1 application Certificate Policy Certificate details showing subject alternative name value as DNS Name equals ws2022-quic.corp, and Key Usage value as Digital Signature, Non-Repudiated

    If using a Microsoft Enterprise Certificate Authority, you can create a certificate template and allow the file server administrator to supply the DNS names when requesting it. For more information on creating a certificate template, review Designing and Implementing a PKI: Part III Certificate Templates. For a demonstration of creating a certificate for SMB over QUIC using a Microsoft Enterprise Certificate Authority, watch this video:

    For requesting a third-party certificate, consult your vendor documentation.

  2. If using a Microsoft Enterprise Certificate Authority:

    1. Start MMC.EXE on the file server.
    2. Add the Certificates snap-in, and select the Computer account.
    3. Expand Certificates (Local Computer), Personal, then right-click Certificates and click Request New Certificate.
    4. Click Next
    5. Select Active Directory Enrollment Policy
    6. Click Next
    7. Select the certificate template for SMB over QUIC that was published in Active Directory.
    8. Click More information is required to enroll for this certificate. Click here to configure settings
    9. So users can use to locate the file server, fill in the value Subject with a common name and Subject Alternative Name with one or more DNS names.
    10. Click Ok and click Enroll.

    image showing the steps covered 1image showing the steps covered  2image showing the steps covered 3

Note

If you're using a certificate file issued by a third party certificate authority, you can use the Certificates snap-in or Windows Admin Center to import it.

Step 2: Configure SMB over QUIC

  1. Deploy a Windows Server 2022 Datacenter: Azure Edition preview server.

  2. Install the latest version of Windows Admin Center on a management PC or the file server. You need the latest version of the Files & File Sharing extension. It's installed automatically by Windows Admin Center if Automatically update extensions is enabled in Settings > Extensions.

  3. Join your Windows Server 2022 Datacenter: Azure Edition file server to your Active Directory domain and make it accessible to Windows Insider clients on the Azure public interface by adding a firewall allow rule for UDP/443 inbound. Do not allow TCP/445 inbound to the file server. The file server must have access to at least one domain controller for authentication, but no domain controller requires any internet access.

  4. Connect to the server with Windows Admin Center and click the Settings icon in the lower left. In the File Shares (SMB server) section, under File sharing across the internet with SMB over QUIC, click Configure.

  5. Click a certificate under Select a computer certificate for this file server, click the server addresses clients can connect to or click Select all, and click Enable.

    image showing the steps for configure SMB over QUIC1

  6. Ensure that the certificate and SMB over QUIC report are healthy.

    image showing the steps for configure SMB over QUIC2

  7. Click on the Files and File Sharing menu option. Note your existing SMB shares or create a new one.

For a demonstration of configuring and using SMB over QUIC, watch this video:

Step 3: Connect to SMB shares

  1. Join your Windows 11 Insider Preview to your domain.Be certain the names of the SMB over QUIC file server's certificate subject alternative names are published to DNS and are fully qualified OR added to the HOST files for your Windows 11 Insider Preview. Ensure that the server's certificate subject alternative names are published to DNS OR added to the HOSTS files for your Windows 11 Insider Preview.

  2. Move your Windows 11 Insider Preview to an external network where it no longer has any network access to domain controllers or the file server's internal IP addresses.

  3. In Windows File Explorer, in the Address Bar, type the UNC path to a share on the file server and confirm you can access data in the share. Alternatively, you can use NET USE /TRANSPORT:QUIC or New-SmbMapping -TransportType QUIC with a UNC path. Examples:

    (automatically tries TCP then QUIC)

    (tries only QUIC)

    (tries only QUIC)

Configure the KDC Proxy (Optional, but recommended)

By default, a Windows 11 Insider Preview won't have access to an Active Directory domain controller when connecting to an SMB over QUIC file server. This means authentication uses NTLMv2, where the file server authenticates on behalf of the client. No NTLMv2 authentication or authorization occurs outside the TLS 1.3-encrypted QUIC tunnel. However, we still recommend using Kerberos as a general security best practice and don't recommend creating new NTLMv2 dependencies in deployments. To allow this, you can configure the KDC proxy to forward ticket requests on the user's behalf, all while using an internet-friendly HTTPS encrypted communication channel.

Note

You cannot configure the Windows Admin Center in gateway mode using TCP port 443 on a file server where you are configuring KDC Proxy. When configuring WAC on the file server, change the port to one that is not in use and is not 443. If you have already configured WAC on port 443, re-run the WAC setup MSI and choose a different port when prompted.

  1. On the file server, in an elevated PowerShell prompt, run:

  2. Copy the thumbprint value from the certificate associated with SMB over QUIC certificate (there may be multiple lines but they will all have the same thumbprint) and paste it as the Certhash value for the following command:

  3. Add the file server's SMB over QUIC names as SPNs in Active Directory for Kerberos. For example:

  4. Set the KDC Proxy service to automatic and start it:

  5. Configure the following group policy to apply to the Windows 11 Insider Preview:

    Computers > Administrative templates > System > Kerberos > Specify KDC proxy servers for Kerberos clients

    The format of this group policy setting is a value name of your fully qualified Active Directory domain name and the value will be the external name you specified for the QUIC server. For example, where the Active Directory domain is named "corp.contoso.com" and the external DNS domain is named "contoso.com":

    This Kerberos realm mapping means that if user tried to connect to a file server name , the KDC proxy will know to forward the kerberos tickets to a domain controller in the internal domain. The communication with the client will be over HTTPS/443 and user credentials aren't directly exposed on the client-file server network.

  6. Create a Windows Defender Firewall rule that inbound-enables TCP port 443 for the KDC Proxy service to receive authentication requests.

  7. Ensure that edge firewalls allow HTTPS/443 inbound to the file server.

  8. Apply the group policy and restart the Windows 11 Insider Preview.

Note

Automatic configuration of the KDC Proxy will come later in the SMB over QUIC Preview and these server steps will not be necessary.

Notes

  • Windows Server 2022 Datacenter: Azure Edition Preview will also be available on Azure Stack HCI 21H2 Preview later this year, for customers not using Azure public cloud.
  • We recommend read-only domain controllers configured only with passwords of mobile users be made available to the file server.
  • Users should have strong passwords or, ideally, be configured using a passwordless strategy with Windows Hello for Business MFA or smart cards. Configure an account lockout policy for mobile users through fine-grained password policy and you should deploy intrusion protection software to detect brute force or password spray attacks.

More references

Storage at Microsoft blog

QUIC Working Group homepage

Microsoft MsQuic GitHub homepage

QUIC Wikipedia

TLS 1.3 Working Group homepage

Microsoft TLS 1.3 Support Reference

Sours: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic

Working Hard In IT

SMB over QUIC POC

I have had the distinct pleasure of being one of the first people to implement a SMB over QUIC POC. It was in a proof of concept I did with Windows Server 2022 Azure Edition in public preview.

That was a fun and educational excercise. As a result, I learned a lot. As a result, I decided to write a lab and test guide, primarily for my own reference. But also, to share my experience with others.

SMB over QUIC POC

You can read the lab guide in a two part series of articles. SMB over QUIC: How to use it – Part I | StarWind Blog (starwindsoftware.com) and SMB over QUIC Testing Guide – Part II | StarWind Blog (starwindsoftware.com)

I am convinded it will fill a need for people that require remote access to SMB file shares without a VPN. Next to that, the integration with the KDC proxy service make it a Kerberos integrated solution. In addition, the KDC Prosy service has the added benefit of allowing for remote password changes.

If you need to get up to speed on what SMB over QUIC is all about I refer your to my article SMB over QUIC Technology | StarWind Blog (starwindsoftware.com). I’m sure that will bring you up to speed.

Finally, I hope you will find these articles useful. I’m pretty sure they will help you with your own SMB over QUIC POC and testing.

Thank your for reading!

Like this:

LikeLoading...

Related

This entry was posted in Azure, IT Pro, Lab, Learning, Networking, SMB 3.0, Windows Server 2022 and tagged POC, SMB over QUIC, Windows Server 2022 Azure Edition by workinghardinit. Bookmark the permalink. Sours: https://blog.workinghardinit.work/2021/07/15/smb-over-quic-poc/
  1. Burberry limited t shirt
  2. Brilliance honda
  3. Kelly blue boof
  4. Leave instruction navy

SMB over QUIC: Files Without the VPN

Update 8/17/2021: this is all available now, come and get it! https://aka.ms/smboverquic 

 

Hi folks, Ned Pyle guest-posting today about SMB over QUIC, a game-changer coming to Windows, Windows Server, and Azure Files. In today’s world, SMB file share access for mobile users requires expensive & complex VPNs. Departments trying to use Azure Files often find their ISP has blocked port 445. Even though users are just as likely to be deskless and organizations are doing more hybrid computing than ever, SMB hasn’t kept up.

 

That’s all changing with SMB over QUIC.

 

QUIC is an IETF-standardized protocol that replaces TCP with a web-oriented UDP mechanism that theoretically improves performance and congestion, but still tries to maintain TCP’s reliability & broad applicability. Unlike TCP, QUIC is always encrypted and requires TLS 1.3 with certificate authentication of the tunnel.

 

1.png

 

QUIC’s already in use in Windows 10 through the Edge browser and other apps. With SMB over QUIC – I don’t have a clever marketing name for this yet :) – QUIC becomes the transport, optionally replacing TCP/IP and RDMA, as well as a tunnel securing all SMB payloads with encryption, even if SMB encryption is not enabled, all while multiplexing over port 443 to an enlightened share. An admin will be able to opt-in to this new capability by deploying a Windows Server at the edge of the network, installing a certificate trusted by clients, then enabling the QUIC option. Or enable it on their Azure Files instance.

 

We have two design imperatives for SMB over QUIC:  

 

  1. Secure: Prevent man-in-the-middle and spoofing by malicious parties as well as guarantee no sniffing of that sweet file payload or allowing any user credentials onto the Internet. The entire SMB conversation – negotiate capabilities, authentication, authorization, message bodies – all occur inside the QUIC layer, just like if the user was in an IPSEC or VPN tunnel. Yes, it even blankets NTLM challenges.

  2. Simple: The user experience for SMB over QUIC can’t change from their corpnet/LAN/branch office experience, it’s too expensive to retrain users. So, we don’t add extra UI or command-line arguments to the client experience – their updated Windows 10 machines will simply try TCP and RDMA like always, but then wait briefly and try QUIC too. This means if they can get faster perf on a local network with RDMA or unencrypted TCP, they will. And if they are travelling or an admin mandates QUIC, they can get that instead. All seamless to the end user and their apps.

Here’s a quick (heh) demo of the user experience. Spoiler alert: a user probably can’t tell anything changed except that SMB now works when I’m at a hotel for Microsoft Ignite.

 

 

The question I always get at this point is: when is this coming? I don’t have a good answer yet, but as we get firmer, I'll get more details out there. This is a key technology for Azure Files and Windows Server edge computing, as well as our mobile strategy, so all I can say is that it’s coming. As you can see from the demo, we’re far along. Check back at the ITOpsTalk.com and FileCab blogs for more details and info on Insider Previews this year. We are working with third parties to offer up this choice in other mobile platforms as well – you should be asking your vendors what their plans are.

 

I hope you’ve enjoyed learning about this new feature, I think it’s a real game changer. If you have questions, hit me up on twitter or DM me on TechCommunity.

 

- Ned Pyle

Sours: https://techcommunity.microsoft.com/t5/itops-talk-blog/smb-over-quic-files-without-the-vpn/ba-p/1183449
How QUIC Works - Intro to the QUIC Transport Protocol

SMB over QUIC Testing Guide – Part I

Introduction

QUIC is a recent secure networking transport on top of UDP. This and TLS 1.3 form the basis for HTTP/3.
It has many benefits compared to HTTP/2 over TCP with TLS 1.2 or TLS 1.3. I have written about SMB over QUIC before in QUIC, hurry up, where I position TLS 1.3, HTTP/3, and QUIC in Microsoft’s operating systems. I invite you to read that article for my musings on this subject.

No matter who you are and what you do in IT, you will be using QUIC in some shape or manner. QUIC is very young, and we are only at the beginning of its journey in development, evolution, and adoption. Next to HTTP/3, we see an interest in using QUIC for many other use cases such as DNS and SMB. In this article, I will be looking at SMB over QUIC and why to use it.

SMB over QUIC is available in Window Server 2022 Azure Edition (in preview at the time of writing) and can be deployed in Azure as well as on Azure Stack HCI. I think they should make it available on any Windows Server 2022 edition, but that is my opinion. You can leverage preview versions of Windows 10, Windows 11 (Windows Insider, dev channel), or Window Server 2022 Azure Edition as SMB over QUIC clients.

SMB over QUIC

Advantages

SMB over QUIC provides security in 2 ways. It prevents server spoofing as the server certificate proves you are connecting to the intended host. Secondly, TLS 1.3 always encrypts SMB over QUIC.

While IT blocks port 445 in the majority of cases, port 443 is typically open. That means that SMB over QUIC via UDP/443 should work in the majority of cases. Google seems to have a very high success rate (+/- 93%) with its QUIC implementations. That number indicates that UP/443 indeed works “as is” in the majority of environments.

Downsides

There are some downsides compared to SMB over TCP/445. For one, the performance is not as good as it is with SMB encryption. Part of this is because there is no hardware offload support.

Since the client cannot reach a Key Distribution Center (KDC) over the internet, Kerberos is not an option, as there is no direct line of sight to a domain controller. So, authentication defaults to NTLM. The good news is that the TLS 1.3 connection encrypts/tunnels the NTLMv2 exchanges. But we do not have to use NTLMv2. By configuring a KDC proxy service, we enable the use of Kerberos authentication.

Another downside is that the TLS encryption is “machine to machine” and not “user to machine.” For some, that might be an issue.

Use cases and setting them up

The eye-catching use case for SMB over QUIC is securely accessing files shares over the internet without needing any VPN. The magic of QUIC is UDP over port 443 lies in the fact that it is always secure by design thanks to certificates and TLS 1.3. That makes sense; SMB over TCP/445 is not readily usable over the internet. Port 445 is more often blocked than allowed in the firewall, and for good reasons. Secure usage of SMB in a public environment is not a walk in the park. It means that you cannot use it to connect to cloud file shares and without needing VPNs or REST-based file access.

From the moment I learned about SMB over QUIC, being the curious and nosey MVP, I was interested in how this works and how to set this up. So, I dove into the lab as soon as it was available in preview, and I will share my learnings with you.

SMB over QUIC integration in the client and the server

The SMB Protocol Stack integration

SMB sits on top of the QUIC stack. In regards to SMB features, this makes very little difference. Multichannel will still work as you have learned to expect. No SMB encryption or signing is required because, by default, SMB over QUIC is always encrypted (TLS 1.3). SMB over QUIC will use the server certificate to ensure there is no server spoofing attack. For secure connections, the SMB connection settings are negotiable. By default, the SMB over QUIC uses the transport layer security/encryption (TLS 1.) even when we enabled SMB encryption on a file share. The SMB client must append the negotiation context ID=0x0006 to learn if the transport layer security is accepted. We can, however, select to use SMB encryption on top of the TLS 1.3 encryption of QUIC. Note that QUIC always uses TLS 1.3 encryption. QUIC does not alter SMB authentication in any way.

SMB over QUIC process from the client-side

  • The client [1] opens \\Demo-vm-01\smb-quic-demo [2]
  • The client resolves the IP address of our file server via DNS [3]
  • The client attempts to connect using TCP/IP [4] and QUIC [5] in parallel. That is because the client does not know if the server supports QUIC, TCP, or both. As a result, the client needs to attempt both. At the moment, TCP gets a slight head start to establish the connection. Doing so provides the best experience for people inside the corporate network while still offering transparent QUIC connectivity when the users are not.
  • The client SMB multichannel will negotiate interfaces with the server and will select the most optimal scenario. Whether RDMA [6] is available or not will be detected via multichannel. Note that there is no RDMA support for QUIC at the moment of writing. I can, however, see this happen in the future as I see no reason why RDMA and QUIC would not be a “better together” story. Remember that RoCEv2 used UDP, so RDMA is not just about TCP/IP.
  • The client will use TCP/IP or QUIC depending on what connection established first
  • The client starts sending/receiving data over SMB [7].

Figure 1: SMB over QUIC client-side process

Figure 1: SMB over QUIC client-side process

Note that if QUIC is not available for some reason, TCP/445 is always there to save the day unless it has been explicitly disabled or cannot work (no connectivity over TCP/445).

SMB over QUIC process from the server-side

  • The server opens endpoints listening on UDP/443, not only TCP/445 [1]. By default, the server starts both TCP/IP and QUIC listeners. However, you can configure the server to start only TCP/IP or only QUIC listeners selectively. It does not have to do both.
  • The server receives new QUIC connection requests [2] from the SMB clients
  • The server finds the certificate [3] for the new QUIC connection
  • The server accepts the connection, and authentication takes place [4].
  • The server sends/receives data over SMB over QUIC [5]
  • Note that if QUIC is not available for some reason, TCP/445 is there unless explicitly disabled [6].
  • Whether RDMA [7] is available or not will be detected via multichannel. Note that there is no RDMA support for QUIC at the moment of writing. I can, however, see this happen in the future as I see no reason why RDMA and QUIC would not be a “better together” story. Remember that RoCEv2 used UDP, so RDMA is not just about TCP/IP.
  • The server starts sending/receiving data via SMB [8]Figure 2: SMB over QUIC server-side process

Figure 2: SMB over QUIC server-side process

Note that if QUIC is not available for some reason, TCP/445 is always there to save the day unless it has been explicitly disabled or cannot work (no connectivity over TCP/445).

Installing an SMB over QUIC Server

For our lab, we are deploying two Windows Server 2022 Datacenter Azure Edition Virtual machines in Azure. We will use one as an SMB server and one as an SMB client. During the early days of the preview, you only had three regions where it was available (West Central US, South Central US, or North Europe). Twenty more came online a week later, and now it should be available in all. By the time you read, this it might very well be out of preview and generally available.

Ensure you join your Windows Server 2022 Datacenter Azure Edition file server and the client to your Active Directory domain.

The file server must have access to at least one domain controller for authentication. Heck, even in the lab, I have 2. There is no need to allow any access from (gulp!) or to the internet from your domain controllers.

Firewall

On the Windows Firewall, the rules exist to allow SMB traffic over both TCP/455 and UDP/443. You can block TCP/445 to force UDP/443 (QUIC) for testing.

Configure your 3rd party firewall(s) to allow access from the internet to adding a firewall rule to allow inbound traffic for UDP/443. By blocking inbound traffic for TCP/445 to the file server, you will force SMB over QUIC. That might not be what you want on the internal firewall, but it is probably already in place on the internet-facing firewall. On an edge firewall, you block TCP/445 in and outgoing, which is fine, except for specific rules for access to Azure file shares, for example.

However, for QUIC to work for telecommuters and road warriors, you will want to allow UDP/443. For a discussion around the security impact on this, see QUIC, hurry up.

Today, any decent security appliance vendor should plan to recognize and deal with QUIC instead of classifying it as “Generic UDP” traffic.

Configuration options on the SMB Server & Client

SMB client Settings

While blocking TCP/445 can help test SMB over QUIC when using windows explores to access the shares, you can also enforce QUIC via NET USE or PowerShell commands.

1

New-SmbMapping–TransportType QUIC ornet use/transport:quic

The above forces the mapping to use QUIC.

1

New-SmbMapping–TransportType QUIC-SkipCertificateCheck or“net use/transport:quic/skipcertcheck“

Disabling the certificate check is OK for testing or internal use, but you should never use this on internet-facing servers.

Below is an example

SMB client Settings

Via Get-SMBMapping, you can look at the TransportType used (QUIC or TCP) alongside other properties.

We now take a look at the SMB client configuration with Get-SmbClientConfiguration

Figure 3: You can configure 2 SMB client settings related to SMB over QUIC

Figure 3: You can configure 2 SMB client settings related to SMB over QUIC

As said before, TLS 1.3 provides encryption for SMB over QUIC, so you usually do not need SMB encryption. That’s why the default value for this setting is false. If you need it to enable SMB encryption, you can set it to True.

1

Set-SmbClientConfiguration-ForceSMBEncryptionOverQuic$True

The default value for SkipCertificateCheck is false. You usually do not want to disable this, but for testing. It can come in handy.

1

Set-SmbClientConfiguration-SkipCertificateCheck$True

SMB client Settings

When we look at the SMB server configuration options Get-SmbServerConfiguration, we also find some settings related to QUIC.

  • DisableSmbEncryptionOnSecureConnection
  • RestrictNamedPipeAccessViaQuic
  • EnableSMBQUIC

Figure 4: Configure 2 SMB client settings related to SMB over QUIC

Figure 4: Configure 2 SMB client settings related to SMB over QUIC

These are pretty much self-explicatory, and you can change them via PowerShell. The default values are all “True” and make sense. We do indeed want QUIC enabled and restrict named pipe access over via QUIC. When using QUIC, the communications go over TLS 1.3, so SMB encryption is not enforced on top of that by default.

You can change these settings with PowerShell, as shown below.

1

Set-SmbServerConfiguration-RestrictNamedpipeAccessViaQuic$False-DisableSmbEncryptionOnSecureConnection$False-EnableSMBQUIC$False

Certificate usage guidelines

When it comes to the certificate requirements, the recommendations will not come as a surprise. Avoid using self-signed certificates. Yes, even in the lab, if possible. I run a permanent Active Directory Certificate services Public Key Infrastructure (PKI) in the lab. It also helps maintain my skillset around PKI technologies. For me, the effort is worth it.

Use only certificates from a privately or publicly trusted root certification authority. That means a commercial certificate, “Let’s Encrypt,” or your own Public Key Infrastructure.

The Certificate Authority-issued certificate will have the following properties:

  • Key usage: digital signature, non-repudiation
  • Purpose: Server Authentication (EKU 1.3.6.1.5.5.7.3.1)
  • Signature algorithm: SHA256RSA (or greater)
  • Signature hash: SHA256 (or greater)
  • Public key algorithm: ECDCA_P256. You can still use RSA with at least 2048 length but hey, go modern.
  • Subject Alternative Name (SAN): Every DNS name entry for each fully qualified DNS name used to reach the SMB server
  • Subject: CN=” Name” (whatever makes sense, but it cannot be empty)
  • Private key included: yes

Creating an SMB over QUIC certificate template

Open the Certificate Authority MMC, select “Certificate Templates,” right-click and select “Manage.” We duplicate the computer template and adapt it to the needs and requirements for an SMB over QUIC certificate.

Figure 5: Duplicate the computer certificate

Figure 5: Duplicate the computer certificate.

First of all, set the compatibility settings to the latest of the greatest to get the most modern features and the best security.

Figure 6: Set compatibility to the latest and greatest

Figure 6: Set compatibility to the latest and greatest

On the “General” tab, the second thing we do is fill out the template display name and name to identify it easily. We also select to publish the certificate in Active Directory.

Figure 7: Enter meaning full names and publish the certificate in Active Directory

Figure 7: Enter meaning full names and publish the certificate in Active Directory

In the “Request Handling” tab, set the purpose for the certificate to “Signature.” Click OK on any warning you’ll see there.

Figure 8: The only purpose is signature

Figure 8: The only purpose is signature.

On the “Cryptography” tab, we set the provider category to Key Storage Provider, and for the algorithm, we select ECDSA_P256. That is a bit more modern than RSA and also a bit faster. Finally, set the request hash to SHA256.

Figure 9: Modern provider, algorithm, key size, and hash size

Figure 9: Modern provider, algorithm, key size, and hash size.

On the “Extensions” tab, go to “Application Policies” and remove client authentication.

Figure 10: The only purpose is Server Authentication

Figure 10: The only purpose is Server Authentication.

Via the security tab, you can set the permissions as to who and what is allowed. For this purpose, I can leave it at the defaults (domain computers are allowed to enroll).

Figure 11: The default security settings will be OK here

Figure 11: The default security settings will be OK here.

On the “Subject Name” tab, we select “Supply in the request.” Click “OK” on any warning you get. We need to set custom names for our SMB over QUIC file server(s), so we elect to supply them manually. Tick the box to “Use subject information from existing certificates for autoenrollment renewal requests.”

Figure 12: Supply subject name info in the request

Figure 12: Supply subject name info in the request.

Click “OK.” That’s it! We created our new SmbOverQuick certificate template. We now publish it so we can enroll our server to get one.

Figure 13:Enable the SmbOverQuic cert so we can issue it

Figure 13:Enable the SmbOverQuic cert so we can issue it.

That’s it. You will now have the SmbOverQuic certificate template available to you when requesting certs for your certification authority.

Get a certificate for the SMB over QUIC file server

On the file server, launch the local computer certificate store. Using certlm from an elevated command prompt is the fastest way to get there.

Now right click on “certificates” in the “Personal” store. Choose “All tasks” and select “Request New Certificate.”

Figure 14: Request a new certificate

Figure 14: Request a new certificate.

Click through the “Before You Begin” message and select “Active Directory Enrollment Policy.” Click “Next”

Figure 15: We use the Active Directory Enrollment Policy

Figure 15: We use the Active Directory Enrollment Policy.

Find and select the SmbOverQuic certificate template we created earlier and click on the hyperlink to enter the custom information.

Figure 16:We find the SmbOverQuic cert that we prepared

Figure 16:We find the SmbOverQuic cert that we prepared.

We set the subject name to a type of “Common Name” and enter a subject name for the cert. I chose the server’s name “W2K22Azure”.

Under alternative names, I choose a type of “DNS” and enter both the hostnames and the FQDN names that I want to use for this file server internally. These are W2K22Azure,W2K22Azure.datawisetech.corp,fsquic,fsquic.datawisetech.cor. I also enter the external domain name quicedge.datawisetech.com. I went overboard a bit for further testing.

Figure 17: Fill out the Subject Name and the SANs

Figure 17: Fill out the Subject Name and the SANs.

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

Explore VSAN from StarWindStarWind VSAN White Paper

Click “Apply” and “OK”

Figure 18:Click enroll

Figure 18:Click enroll

Click on enroll and wait a moment to see whether this was successful.

Figure 19:Congrats, you have your certificate!

Figure 19:Congrats, you have your certificate!

Cool, we now have a cert on the file server to configure SMB over QUIC!

That’s is for now. In part II of this article, we will use our knowledge and preparations done here to build a fully working SMB over QUIC solution.

Related materials:

Filed under:
Software by Didier Van Hoye

Sours: https://www.starwindsoftware.com/blog/smb-over-quic-testing-guide-part-i

Over quic smb

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Heya folks, Ned here again. Today I announced the new SMB over QUIC feature for Windows Server 2022 and Windows Insider at the Windows Server 2022, Best on Azure webinar. If you want to cut right to the chase, head to SMB over QUIC (PREVIEW) on Docs.

 

SMB over QUIC (Preview) offers an "SMB VPN" for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of TCP/445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the network. Inside that tunnel, SMB behaves totally normally with all its usual capabilities.

 

Here's a demo of turning on the SMB over QUIC feature & using it. 

 

 

To learn more about SMB over QUIC, see demos, and try it out for yourself, head over SMB over QUIC (PREVIEW) on Docs! 

 

- Ned "quick!" Pyle

This entry was posted in Republished Content by Syndicated News. Bookmark the permalink. Sours: https://thewindowsupdate.com/2021/06/24/smb-over-quic-is-now-in-public-preview/
SMB over QUIC configuration and usage

.

You will also like:

.



1408 1409 1410 1411 1412