Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  M365,AZURE,INTUNE SECURITY Server 2022 [21H2/22H2/32H2]   Click on the Category button to get more articles regarding that product.

SMB over QUIC a OneDrive, Sharepoint replacement, SRV 2025?

Posted by admin on 24.07.2024

SMB over QUIC UDP is coming to on-premises Server 2025 for all OS editions. This feature will be included in every edition of Microsoft Server 2025. It uses The Microsoft Windows Admin Center Server (WAC) which was built to manage you inhouse server structure remote (no Azure or cloud dependency).

The Microsoft Server and Storage Team demonstrates their belief in the on-premises market. The WAC Windows Admin Center already had an option to browse local shares of server so the technology was there it is only used for SMB fileserver with a new Agent in Windows 11.

Also hotpatching will come to Server 2025 so you don’t have to reboot all server on maintenance evening just to keep OS up to date.

https://datatracker.ietf.org/doc/html/rfc9000 [QUIC: A UDP-Based Multiplexed and Secure Transport]

https://en.wikipedia.org/wiki/QUIC

Until now, you could only use SMB over QUIC with a Windows Server 2022 Datacenter Azure Edition. This meant you could only use the technology to connect clients on the road or from a home office to Azure cloud servers. This limitation forced some customers into the cloud to realize a modern workplace. They found out after they integrated Exchange Online and Teams maybe forgot about many other things IT exists of.

This new feature addresses the missing component for many users and may even serve as a replacement for modern workplace access to SharePoint or OneDrive. The solution allows you to connect to your on-premises Server 2025 SMB share with certificate-based authentication and MFA, just as you have done locally or over a VPN tunnel for years. The best part is that the connection survives changes in the client’s IP address or port. So, if you are traveling on a train or have a seamless handover on GPRS, the network drive share will not drop (UDP)!

REM Automatically tries TCP then QUIC

NET USE * \\fsedge1.contoso.com\sales

REM Tries only QUIC

NET USE * \\fsedge1.contoso.com\sales /TRANSPORT:QUIC

 

What you need to migrate your things to get starting 😉

  • Server 2025 fileserver
  • All your clients on Windows 11

The Windows 11 min. that may be a downside for some medium sized companys.

First things first security. Is it safe to do SMB over unsafe internet?

  • Recommended to have a Read Only Domain Controller with no Internet Access (Recommended but it shows this would be also a soltion for medium sized shops because you already need an addiotional Read Only DC
  • Recommended KDC Proxy to support NTLM > Kerberos (SRV 2025 has huge Kerberos benefits all full line)
  • Recommended MFA, 2-form or multi form authentication
  • Recommended thid party IPS and Brute force deny firewall NG in front of everything
  • No NTLMv2 authentication or authorization occurs outside the TLS 1.3-encrypted QUIC tunnel (https://datatracker.ietf.org/doc/html/rfc9001)
  • It support DFS fileserver enterprise structure, works only with FQDN not IP address
  • Windows Admin Center, WAC 2110 needed (This is the server the incoming 443 will hit)
  • Works with IP source address changes and Paket loss (https://datatracker.ietf.org/doc/html/rfc9002)

     

As example Fortinet has already experience with DNS over GUIC

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/777101/enhancement-to-quic-and-https3-inspection-7-4-1

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/257741/gui-support-for-dns-over-quic-and-dns-over-http3-for-transparent-and-local-in-dns-modes-7-4-4

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/984075/blocking-quic-manually-new

 

Problem, points to watch:

It has to be shared/served somehow. They also cook with water? Yes, it runs over the WAC Server, which was planned to manage server structure externally. This allows M365 Azure admins (managers) to have a familiar interface for on-premises servers since they might not be familiar with older systems. So maybe that would be the part you don’t like.

But if you see Beyond Trust remote access appliances for Enterprise Admins use today and you see the Citrix Gateway 0-day exploits you may rethink all. Is that more secure? So maybe the WAC server is not so bad at all because everything and all fails these days?

You could browse local server shares on the WAC already, and now they have enhanced that part significantly.

There is SMB over the internet without requiring SSLVPN, secured with a certificate. If the certificates expire, the share will go down.

Downside, you don’t like Certs renewals right?

For Windows Server 2022 Datacenter: Azure Edition, an expired SMB over QUIC certificate that you replace with a new certificate from the issuer will contain a new thumbprint. While you can automatically renew SMB over QUIC certificates when they expire using Active Directory Certificate Services, a renewed certificate gets a new thumbprint as well. This means that SMB over QUIC must be reconfigured when the certificate expires, as a new thumbprint must be mapped.


SMB over QUIC in Windows | Microsoft Learn

https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic?tabs=windows-admin-center%2Cwindows-admin-center1

RFC 9000 – QUIC: A UDP-Based Multiplexed and Secure Transport (ietf.org)

https://datatracker.ietf.org/doc/html/rfc9000

 

RFC 9001 – Using TLS to Secure QUIC (ietf.org)

https://datatracker.ietf.org/doc/html/rfc9001

RFC 9002 – QUIC Loss Detection and Congestion Control (ietf.org)

https://datatracker.ietf.org/doc/html/rfc9002

WAC Windows Admin Center Server

Windows Admin Center (WAC) is “a locally-deployed, browser-based management tool that lets you manage your Windows Servers, clusters, hyper-converged infrastructure, and Windows 10 PCs with no Azure or cloud dependency.”

Windows Admin Center version 2110 is now generally available! – Microsoft Community Hub

https://techcommunity.microsoft.com/t5/windows-admin-center-blog/windows-admin-center-version-2110-is-now-generally-available/ba-p/2911579

More Server 2025 News….

Hot patching Coming to All Windows Server 2025 Editions

 

Hotpatching is currently available in Windows Server 2022 Datacenter Azure Edition, but Microsoft plans to add this feature to the Standard and Datacenter editions of Windows Server 2025.

This Windows Server 2025 announcement received the most attention at the 2023 Ignite. Hotpatching allows admins to install security updates without needing a reboot, whereas normally, a reboot is required to finish the patch process and update system files.

Microsoft is expected to impose an additional fee for hotpatching, a service that requires Azure Arc and Software Assurance. The enthusiasm surrounding Windows Server hotpatching suggests that many companies will be prepared to pay the extra cost for this convenience. This feature may lead many organisations to reassess their update management strategy, opting to implement updates more promptly rather than delaying them until quieter periods.

But more important we think is sill the SMB over secure lines…A dream come true?

SMB over QUIC UDP is coming to on-premises Server 2025 for all OS editions.

 


 Category published:  M365,AZURE,INTUNE SECURITY Server 2022 [21H2/22H2/32H2]   Click on the Category button to get more articles regarding that product.