File Director SMB3 encryption

About File Director SMB3 encryption

File Director supports SMB3.02 encryption for all traffic from File Director servers to back end storage. Support is for SMB3.02 encrypted shares using Windows Server 2012 R2 as the reference platform. Using encrypted SMB3.02 shares requires valid Kerberos configuration items in the File Director server to support authentication. It also requires that map points are specified using a hostname rather than an IP address. It is preferable to use the Fully Qualified Domain Name although using the Shortname will work if valid DNS search domains have been configured.

If the File Director server is secured in a DMZ, port 88 must be open between File Director and Active Directory on the firewall for this to work. This applies to both TCP and UDP protocols.

Two modes of authentication are available:

  • Username and password authentication on the endpoint with the File Director server switching to Kerberos authentication to communicate securely with the back end SMB3.02 share.
  • Using Kerberos from the endpoint right through to the SMB3.02 share utilizing ticket forwarding.

For both authentication modes, reverse IP lookups for file servers and domain controllers must be setup and the clock skew between File Director and must be less than five minutes.

In order for File Director to function correctly, AES-128 encryption must be enabled on the Key Distribution Center (KDC).

Once all configuration is complete, enable SMB3.02 protocol on Server 2012 R2 share, otherwise data will not be encrypted in transit.

Related topics