introduces native support for Windows Server 2022 http/3 Protocol that makes IIS website pages load faster and improve security. The most important feature of HTTP/3 is that it is based on WHO (Fast UDP Internet Connection) transport protocol operating over UDP. Users with slow and unstable Internet connections benefit the most from HTTP/3. Let’s see how to enable HTTP/3 support for Internet Information Services (IIS 10.0.20348+) website running on Windows Server 2022.
To enable HTTP/3 support in IIS, you need to configure a few options in Windows:
- Able TLS 1.3 on Windows Server (required to use QUIC and HTTP/3);
- Join TLS_CHACHA20_POLY1305_SHA256 cipher suite for TLS connections;
- Add the HTTP/3 response code to the HTTP headers of your IIS website.
Edit some registry options to enable TLS 1.3 support on Windows Server (in this example, we enable TLS 1.3 client and server support).
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v Enabled /t REG_DWORD /d 1 /f
Enable HTTP/3 support for IIS:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f
Then enable a special TLS cipher using the PowerShell command:
Enable-TlsCipherSuite -Name TLS_CHACHA20_POLY1305_SHA256 -Position 0
Make sure cipher suite support is enabled:
(Get-TlsCipherSuite).Name | Select-String CHACHA
Then add HTTP/3 to the response header of your website. Create a simple site in IIS (you can use a default website for testing), bind an SSL certificate to the website (you can use a self-signed Windows certificate, but your clients must trust it ), and bind the website to port 443 (from edit bindings menu).
Note that some additional options (Disable QUIC, Disable TLS 1.3 over TCP, Disable legacy TLS) are exposed in the Website Bindings form in IIS.
open again HTTP Response Headers In the IIS website settings section and list of HTTP responses add the following option:
- Name:
alt-svc - worth:
h3=":443"; ma=86400; persist=1
You can add this HTTP header option using PowerShell:
Import-Module WebAdministration
$siteName ="Default Web Site"
$headerName="alt-svc"
$headerValue="h3=":443"; ma=86400; persist=1"
Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath IIS:\Sites\$siteName -Name . -AtElement @{name=$headerName}-Value @{name=$headerName;value=$headerValue}
Make sure QUIC (port 443/UDP) traffic is allowed in Microsoft Defender Firewall:
Get-NetFirewallRule | ?{ $_.DisplayName -eq "World Wide Web Services (QUIC Traffic-In)" }|select name,enabled, status
If the rule is inactive, enable the Windows Defender Firewall rule using PowerShell:
Get-NetFirewallRule IIS-WebServerRole-QUIC-In-UDP|enable-netfirewallrule
Restart Windows Server. After restarting, make sure that the IIS website responds over HTTP/3 (all modern browsers support the HTTP/3 protocol by default).
- Open the webpage of your IIS site in a browser (I used the built-in Microsoft Edge), Supervision mode, and go to Network tab;
- add Etiquette Refresh column and page (
F5, - Make sure that h 3 The protocol is specified in the column. This means that HTTP/3 is used to connect to the website.
Leave a Comment