How to enable HTTP/3 in Windows Server 2022

In short, here are the few steps you need to perform to enable HTTP/3 in Windows Server 2022. Enabling HTTP/3 increases IIS web performance greatly. I can’t provide you with full details and how-to’s, as I don’t know your network. To enable HTTP/3 in Windows Server 2022 IIS 10.0, in a nutshell:

1. Add registry values to EnableHttp3 and EnableAltSvc:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f

2. Verify QUIC traffic (443/UDP) is allowed on your server firewall and in your network:

(Get-NetFirewallRule) | ?{
  $_.DisplayName -eq "World Wide Web Services (QUIC Traffic-In)"
}

3. If Get-NetFirwallRule provides no results, open up your firewall to allow QUIC traffic for Internet Information Services (IIS) [UDP 443]:

New-NetFirewallRule -DisplayName "Allow QUIC" -Direction Inbound -Protocol UDP -LocalPort 443 -Action Allow -LocalOnlyMapping $true

These steps worked in my environment with Windows Server 2022 build 10.0.20348. But only on a freshly installed server, not in an in-place upgraded server from pre GA to this GA build. Further, a lot depends on your network: do you allow QUIC traffic traffic through your firewall? There are some different circumstances and results mentioned in the linked blog post below.

TLS 1.3 cipher suites for HTTP/3 (QUIC)

Ensure TLS 1.3 is enabled in your registry, as HTTP/3 will not negotiate over TLS 1.2.

HTTP/3 relies entirely on QUIC, which mandates the use of TLS 1.3. Unlike older TLS versions, TLS 1.3 drastically simplifies the number of supported cipher suites. To ensure your IIS server can successfully negotiate HTTP/3 connections, your system must support and prioritize the following three mandatory TLS 1.3 cipher suites:

1. TLS_AES_256_GCM_SHA384 (Highly recommended & strongest)
2. TLS_CHACHA20_POLY1305_SHA256 (Excellent performance, especially on mobile devices)
3. TLS_AES_128_GCM_SHA256

Cipher Suite	Encryption	Hash	Requirement
TLS_AES_256_GCM_SHA384	AES 256-bit GCM	SHA384	Mandatory for high security
TLS_CHACHA20_POLY1305_SHA256	ChaCha20-Poly1305	SHA256	Preferred for mobile/low-power CPU
TLS_AES_128_GCM_SHA256	AES 128-bit GCM	SHA256	Baseline mandatory

Enable these cipher suites, for example TLS_CHACHA20_POLY1305_SHA256 using PowerShell:

Enable-TlsCipherSuite -Name TLS_CHACHA20_POLY1305_SHA256 -Position 0

And verify it’s enabled: (Get-TlsCipherSuite).Name | Select-String CHACHA

You may find more information about enabling HTTP/3 in Windows Server 2022 IIS in Tommy Jensen‘s post Enabling HTTP/3 support on Windows Server 2022.

How to verify HTTP/3 is working in IIS

Once you have restarted your server, you can verify if HTTP/3 (QUIC) is successfully negotiating using your browser’s Developer Tools (F12).

1. Open Google Chrome, Microsoft Edge or Firefox and press F12 to open the Developer Tools.
2. Navigate to the Network tab.
3. Right-click on any column header (e.g., Name or Status) and ensure the Protocol column is checked.
4. Refresh the page (F5).

In the Protocol column, you should now see h3 listed for your website’s requests, indicating a successful HTTP/3 connection over UDP. If you see h2, the browser fallback to HTTP/2 occurred, meaning you should double-check your firewall’s UDP port 443 settings or TLS 1.3 configuration.

QUIC – HTTP/3 – performance counters

In your monitoring tool, you can get metrics from the (HTTP/3) \QUIC Performance Diagnostics\* performance counters, for example for in your Zabbix monitoring and templates. Use Performance Counters:

• \QUIC Performance Diagnostics\quic connections connected
• \QUIC Performance Diagnostics\quic streams active

Neat! 🙂