Access Azure File Share with SMB over QUIC

10 Min. Read

Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol or the Network File System (NFS) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world using a URL that points to the file and includes a shared access signature (SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.

In this article, we will share with you how to map and access Azure File Share with SMB over QUIC so you can eliminate the use of VPN when SMB TCP port 445 is blocked.

Introduction

Internet Service Providers (ISP) are often blocking TCP port 445 so we cannot access and map a drive on a Windows Client computer with an Azure File Share. In these scenarios, Microsft has documented that you could configure a Point-to-Site (P2S) VPN on Windows for use with Azure Files, or you could configure a Site-to-Site VPN for use with Azure Files.

So besides the Point-to-Site (P2S) and Site-to-Site (S2S) VPN connection, what other options are there to access and map a drive with Azure Files (share)?

> Solution 1 – Use Azure File Sync – We do not want an on-premises file server, all files are in Azure Files.

> Solution 2 – Unblock port 445 with help of your ISP – It is not possible with our ISP.

> Solution 3 – Use REST API-based tools like Storage Explorer and PowerShell – We want to give the user the same experience as the mapped drive from an on-premises file server.

> Solution 4 – If Azure File Sync or VPN is not a viable option for you, Microsoft recommends evaluating the MyWorkDrive solution (Azure Files Remote Access with MyWorkDrive).

So up until today, you need to choose one of the solutions noted above to give access for your users to Azure Files or you need to disregard this solution altogether.

The good news is, Microsoft has announced at Ignite 2021 that SMB over QUIC is now generally available (GA). And with that, we can use Azure File Sync (AFS) on Windows Server 2022 Azure Edition with QUIC enabled and use it to access Azure File Shares and give the users a seamless experience.

At the time of this writing, Microsoft is actively working on building QUIC support into Azure Files directly without the need to use Azure File Sync as an intermediary, however, there are no timelines on when this capability will become available. So until this support becomes available, let’s see how to map and access Azure File Share with SMB over QUIC with Azure File Sync.

SMB over QUIC quick overview

SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high-security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel, is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.

QUIC is an IETF-standardized protocol that replaces TCP with a web-oriented UDP mechanism that theoretically improves performance and congestion but still tries to maintain TCP’s reliability & broad applicability. Unlike TCP, QUIC is always encrypted and requires TLS 1.3 with certificate authentication of the tunnel.

For more information about SMB over QUIC, you can read the public announcement by ‘Ned Pyle Principal  PM‘ and the owner of this feature on Microsoft documentation.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) A file server running Windows Server 2022 Datacenter: Azure Edition deployed in Azure with the Storage Sync Agent installed (check how to get started with Azure File Sync).

3) Azure storage account – You can follow the instructions described here to create a general-purpose storage account.

4) You need one or more file shares – You can follow the instructions described here to create an Azure file share.

5) You need Windows 11 client computer available for your users (Windows for business). Windows 10 client does not support SMB over QUIC.

6) You need the latest version of Windows Admin Center installed on a management PC or the file server. At the time of this writing, Windows Admin Center version 2110 is the latest release. You can download it from here.

> You need also the latest version of the Files & File Sharing extension. It’s installed automatically by Windows Admin Center if Automatically update extensions are enabled in Settings > Extensions.

> If you don’t want to install Windows Admin Center on a management PC or the file server, you can follow the steps described in this article to manage Windows Server directly from the Azure Portal. In this example, we will be managing the edge file server with Windows Admin Center from the Azure Portal.

7) You need a Public Key Infrastructure (PKI) to issue certificates like Active Directory Certificate Server or access to a trusted third party certificate issuer like Verisign, Digicert, Let’s Encrypt, and so on (more on this in the next section).

8) Optional, NOT required but recommended is to have a domain controller configured where you can join the edge file server in Azure, as well as join the Windows 11 clients to your domain. Microsoft recommends deploying read-only domain controllers configured only with passwords of mobile users (remote workers) to be made available to the file server. In this example, we have not deployed a domain controller. The edge file server deployed in Azure with the Azure File Sync agent installed, as well as, the Windows 11 client is WORKGROUP. Of course, this is not ideal for enterprises with a large number of users and for security reasons.

9) Optional, NOT required but recommended is to configure the Kerberos KDC Proxy. By default, a Windows 11 client won’t have access to an Active Directory domain controller when connecting to an SMB over a QUIC file server. This means authentication uses NTLMv2, where the file server authenticates on behalf of the client. Microsoft recommends using Kerberos as a general security best practice and doesn’t recommend creating new NTLMv2 dependencies in deployments. Please follow the steps described in this article to configure the KDC Proxy. Microsoft also noted that automatic configuration of the KDC Proxy will come later in the SMB over QUIC and these steps will not be necessary anymore.

Step 1: Issue a server certificate

As noted in the prerequisites section and documented officially by Microsoft. To use SMB over QUIC on Windows Server 2022, you need to create and issue a certificate for your file server.

In this example, we will be using a third-party certificate issuer from Let’s Encrypt for our server which is deployed in Azure (IaaS VM). This server will be used as an edge file server by our users who are working remotely because they can’t access their server anymore with SMB TCP port 445 over the Internet. You need a domain name pointed towards your file server in Azure.

If you want to use a Microsoft Enterprise Certificate Authority instead of a third-party certificate issuer, then you can create a certificate template and allow the file server administrator to supply the DNS names when requesting it. For more information on creating a certificate template, please review the documentation on Designing and Implementing a PKI: Part III Certificate Templates.

Install Let’s Encrypt Certificate on Windows Server 2022

You can skip the steps below if you have already issued a server certificate.

There is a specialized tool that is used for LetsEncrypt for Windows called the win-acme tool. The easiest way to grab a copy of win-acme is to visit the official site for the open-source tool and download the latest version.

When you first launch the tool, you will see a fairly wizard-driven menu that allows you to choose what you are trying to accomplish.

The options that are highlighted in green are the defaults. So, if you just go down through the menu hitting enter, these are the options that will be selected. In this example, we selected “M: Create certificate full options“.

M: Create certificate full options
M: Create certificate full options

Next, you choose how you want to verify the ownership of the domain that you are keying the certificate for. The ACME server needs to be able to verify you are the owner of the domain. As is noted in the wizard, this happens both during the initial setup and for all renewals in the future.

Serve verification files from memory
Serve verification files from memory

After ownership of the domain(s) has been proven, the win-acme tool will create a Certificate Signing Request (CSR) to obtain the actual certificate. The CSR determines the properties of the certificate like which (type of) key to use. Choose the “RSA key” as shown in the figure below.

RSA Key
RSA Key

Next, you can select where to store the certificate to make it accessible to your applications. There are several options to choose from. In this example, we chose “Windows Certificate Store (default)” as shown in the figure below.

Windows Certificate Store
Windows Certificate Store

Next, you need to choose how you want the win-acme tool to update the bindings. In this example, we chose “No additional installation steps“.

In the final step, you can enter emails for notifications about problems and abuse as well before the updates happen.

Once the certificate is issued, you need to make sure it has the following properties as documented by Microsoft:

> Key Usage: digital signature
> Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
> Signature algorithm: SHA256RSA (or greater)
> Signature hash: SHA256 (or greater)
> Public key algorithm: ECDSA_P256 (or greater. You can also use RSA with at least 2048 length)
> Subject Alternative Name (SAN): A DNS name entry for each fully qualified DNS (FQDN) name used to reach the SMB file server over QUIC
> Subject: (CN= could be anything, but must exist)
> Private key included: yes

We have blur-boxed the “Subject” value for obvious reasons.

Third-party certificate properties
Third-party certificate properties

If you’re using a certificate file issued by a third-party certificate authority as documented in this article, then you can use the Certificates (MMC) snap-in or Windows Admin Center to import it as shown in the figure below.

Windows Admin Center - Certificate Stores
Windows Admin Center – Certificate Stores

The win-acme tool will import the certificate automatically under the Local Machine\My certificate store.

Step 2: Configure SMB over QUIC

This section will show you how to configure SMB over QUIC for Windows Server 2022 Datacenter: Azure Edition deployed in Azure with the Storage Sync Agent installed.

Assuming you have all the prerequisites in place, connect to the server with Windows Admin Center and click the Settings icon in the lower left.

In the File shares (SMB server) section, under File sharing across the internet with SMB over QUIC, click on Configure as shown in the figure below.

Windows Admin Center - Configure SMB over QUIC
Windows Admin Center – Configure SMB over QUIC

Next, select a certificate under Configure file sharing across the Internet with SMB over QUIC for this file server, then Select All for addresses that SMB over QUICK clients can connect to (in this example, we have three addresses), and then click Enable as shown in the figure below. Make sure that the certificate you select and SMB over QUIC report is healthy.

Configure file sharing across the Internet with SMB over QUIC
Configure file sharing across the Internet with SMB over QUIC

Next, specify the administrator account to use when connecting to the file server by CredSSP connection.

In the final step, click on the Files and File Sharing menu option. Note your existing SMB shares or create a new one where the server endpoint path for the storage sync service is configured.

Windows Admin Center - File shares
Windows Admin Center – File shares

In this example, we did not enable Kerberos KDC Proxy as shown in the figure below. Optional, NOT required but recommended is to configure the Kerberos KDC Proxy as documented by Microsoft here.

Kerberos KDC Proxy
Kerberos KDC Proxy

Step 3: Connect to Azure File Share over QUIC

This section will show you how to connect and access Azure File Share with SMB over QUIC for Windows Server 2022 Datacenter: Azure Edition deployed in Azure with the Storage Sync Agent installed.

First, you need to make your Windows Server 2022 Datacenter: Azure Edition file server is accessible to Windows 11 clients on the Azure public interface by adding a firewall rule to allow inbound for UDP/443 in your Network Security Group (NSG) as shown in the figure below. Please Do NOT allow TCP/445 inbound to the file server, so there’s no way anymore to do SMB like we’ve been doing it for the last 20 years. It’s just not allowed anymore. You can also filter the source IP address range for the UDP/443 rule for added security.

Allow Inbound for UDP/443 - Network Security Group
Allow Inbound for UDP/443 – Network Security Group

As a side note, if you joined your Windows Server 2022 Datacenter: Azure Edition file server to your Active Directory domain, then make sure it has access to at least one domain controller for authentication, but no domain controller requires any internet access.

Next, you can join your Windows 11 client to your domain or use it as a Workgroup. You need to make sure the names of the SMB over QUIC file server’s certificate subject alternative names are published to DNS and are fully qualified, or added to the HOSTS file (C:\Windows\System32\drivers\etc\hosts) for your Windows 11.

But since we are using a third-party certificate and the DNS domain name is pointing to the public IP address of the file server in Azure as shown in the figure below, then you can proceed to map and connect to your Azure File Share.

Domain name pointed towards file server in Azure
Domain name pointed towards file server in Azure

In this example, we are using a Windows 11 Pro client as shown in the figure below which is connected to an external network where it has no network access to a domain controller or the file server’s internal (private) IP address.

Gin w*x,osname
$PIP = Invoke-RestMethod 'http://ipinfo.io/json' | Select-Object -ExpandProperty ip
Write-Output "Your Public IP Address is: $PIP"
Microsoft Windows 11 Pro
Microsoft Windows 11 Pro

Next, in Windows File Explorer, in the Address Bar, type the UNC path (FQDN) to the share on the file server in Azure and confirm you can access data in the share.

Alternatively, you can use NET USE /TRANSPORT:QUIC or New-SmbMapping -TransportType QUIC with a UNC path. Examples:

# Automatically tries TCP first then QUIC over UDP
NET USE * \\afsedge1.yourdomain.com\usersdocs 

# Tries only QUIC over UDP
NET USE * \\afsedge1.yourdomain.com\usersdocs /TRANSPORT:QUIC

# Mount a drive a tries only QUIC over UDP
New-SmbMapping -LocalPath 'Z:' -RemotePath '\\afsedge1.yourdomain.com\usersdocs' -TransportType QUIC 

You can use any of the subject alternative names that are published to DNS and you should be able to access the share. In this example, we have three subject alternative names that SMB over QUIC clients can connect to.

And here you go, the user doesn’t see any real difference in the experience.

Access Azure File Share from Server Endpoint
Access Azure File Share from Server Endpoint

And under the covers, what’s really happening is. When the user is opening this file up, we are no longer using TCP port 445. We are actually on UDP 443 now as shown in the figure below, something that is very Internet-friendly. We are inside of a TLS tunnel in AES 256 encrypted safety.

netstat -na | Select-String "443"
Verify SMB over QUIC UDP/443
Verify SMB over QUIC UDP/443

Opening any file for example, and the user experience hasn’t changed, but under the covers, we are no longer using SMB TCP Port 445 like we used to do for years.

Opening a file from Azure File Share (server endpoint)
Opening a file from Azure File Share (server endpoint)

That’s it there you have it! Happy Azure File Share access with SMB over QUIC.

Summary

In this article, we showed you how to map and access Azure File Share with SMB over QUIC with Azure File Sync so you can eliminate the use of VPN when SMB TCP port 445 is blocked.

Azure File Sync extends on-premises file servers into Azure by providing cloud benefits while maintaining performance and compatibility. Azure File Sync provides:

Do you want to learn more about Azure Storage including Azure Blobs and Azure File Shares? Make sure to check my recently published online course here: Azure Storage Essential Training.

We hope you find this guide useful.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Exclude File Types from Cloud Tiering in Azure File Sync

Enable SFTP Support for Azure Blob Storage

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!