Microsoft is simplifying how you’ll connect to Windows file servers over the internet. It’s time to say goodbye to the VPN.
Change is afoot: The internet is moving away from the venerable TCP protocol that’s been its foundation since the very start. Google began work on what eventually became QUIC in the early 2010s, with it becoming the foundation of HTTP/3 in 2018. Finally, in May 2021, the Internet Engineering Task Force issued RFC 9000, turning QUIC into an internet standard.
(QUIC doesn’t stand for anything. While there was an initial plan to make it an acronym for Quick UDP Internet Connections, it quickly became the official name for the protocol, all in capitals.)
What is QUIC?
So what is QUIC? It takes the User Datagram Protocol (UDP) that’s used by a lot of internet services that don’t need the assured connections of TCP and turns it into a way to open multiple parallel channels between computers for a faster way of connecting an application to several independent endpoints while treating it as a single non-blocking channel. It’s an approach that removes much of the overhead of TCP, along with delivering significantly lower latency.
SEE: Windows Server 2022: A cheat sheet (free PDF) (TechRepublic)
With UDP lacking many of the control structures of TCP, QUIC handles issues like packet loss at a higher level, providing its own controls. This allows data in the other QUIC streams in a connection to continue flowing, while QUIC retries lost packets in a failed stream. At the same time it simplifies negotiating encrypted connections, delivering keys as part of setting up a connection, assuming it will always be operating over end-to-end encrypted connections.
Much of the focus on QUIC has been on browsers and other HTTP-based services and APIs. That’s not surprising, considering its birth inside Google. But now it’s starting to show up elsewhere, especially in services that need consistent, secure and reliable connectivity.
SMB over QUIC
It wasn’t hard for Microsoft to decide to base the next generation of its SMB file transfer protocol on QUIC. It had already had experience implementing it in Edge and its Azure web services. SMB over QUIC was introduced in Windows Server 2022 Azure Edition, providing what can best be thought of as a file transfer-specific VPN between on-premises servers and Azure, working over the familiar TLS port 443 rather than the SMB-specific port 445 that’s often closed off for security reasons.
Using QUIC in this context makes a lot of sense, especially when used alongside SMB’s file compression. Windows Server 2022 Azure Edition is a key component of Microsoft’s hybrid cloud strategy, as it’s the default virtual Windows Server virtual image on both Azure and the on-premises Azure Stack HCI. With Azure Files support planned, the ability to quickly enable a QUIC-based file transfer connection between your data center and the Azure public cloud is a significant benefit, as you don’t need the complexity and overhead of a VPN. There’s a bonus that as it uses familiar TLS ports, you don’t need to reconfigure firewalls to manage your connection.
Microsoft is encouraging customers to move to Azure Stack HCI, so making SMB over QUIC contingent on Windows Server 2022 Azure Edition makes sense. Reducing the complexity associated with cross-internet file shares is a big win, and by running on Azure Stack HCI you get site-to-site as well as site-to-cloud support. Similarly, as it’s part of Windows 11, client device support allows remote workers to get access to files without needing technologies like Direct Access.
As Vijay Kumar, director of Windows Server and Azure product marketing at Microsoft, told us, “One of the things that we that we kept hearing from customers was, ‘Hey we have file share in our own in our own premises, but when we shift to the cloud, then we want to do a secure file sharing over the internet’. That’s one of the concerns that we can see when they had to transfer some of their file servers to Azure. So [SMB over QUIC] was the way to do that.” Migration to Azure doesn’t stop users wanting to share files; if anything it increases the global reach of those file shares beyond the firewall.
Kumar noted that it’s a way of improving file share performance as part of a migration to on-premises hyperconverged systems. “When they want to consolidate some of the file servers within some of their data centers on Azure Stack HCI, they can also do the same as with these big, distributed file servers with Azure, and be able to use SMB over QUIC.”
There are significant security benefits to the shift. Ned Pyle, principal program manager on the SMB team, noted in a blog post that SMB over QUIC should reduce the risk of man-in-the-middle attacks and avoid payload sniffing. Embedding SMB in QUIC ensures that negotiating the SMB connection happens inside the QUIC channel, ensuring that the whole interaction between client and server is encrypted.
SEE: Windows 11: Understanding the system requirements and the security benefits (TechRepublic)
QUIC beyond Windows Server 2022
It’s interesting to note that SMB over QUIC is a Windows 11 feature. With the pandemic shifting many of us to working from home, a secure OS with simplified access to corporate resources is going to be increasingly important, whether those resources are running on-premises or in the public cloud. SMB over QUIC should significantly reduce the need to run VPNs, redirecting networking resources and improving the user experience.
Instead of firing up a VPN to connect to file servers, a user will be able to connect to them exactly the same way as they would on-premises. Windows will first try to connect over TCP as normal, and if that fails, it will switch to QUIC automatically. There’s no user interaction necessary; all you need to do is connect to a share the way you always have done.
Microsoft anticipates a future for SMB over QUIC beyond the data center, with the increasing importance of its own Azure Stack Edge hardware. Here, connectivity isn’t guaranteed, with sites using wireless communications to connect to the wider internet. QUIC is designed to work more effectively over unreliable connections, especially where connections may hand off between cellular towers. QUIC channels are tagged, allowing quick reconnection and a speedy resumption of data transfers.
With QUIC part of Windows Server 2022, it’s now being used to add support for HTTP/3 to Microsoft’s own services. The Outlook.com team is using it on Exchange Online’s web portal, showing significant improvements, especially over the links between clients and front-end servers, with a 60% reduction in latency. We’re likely to see more Microsoft Services move to supporting HTTP/3, as support is already available in the current builds of its Chromium-based Edge browser.