Blog Post

Skype for Business Blog

6 MIN READ

Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business

Pamela Arimoto

Microsoft

Aug 01, 2018

INTRODUCTION

The purpose of this blog post is to provide the necessary guidance for our Skype for Business Server, Lync Server, and Skype for Business Online customers to prepare for the deprecation of TLS 1.0 and 1.1 in Office 365.

Please carefully review all the information in this blog post as you prepare for the mandatory use of TLS 1.2 in Office 365. Note that there may be many dependencies and connectivity considerations in your environment so extensive planning and testing is advised.

BACKGROUND

We are planning to discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 in Microsoft Office 365 on October 31, 2018. This was previously announced in the following support article. https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

This change will provide our customers with the best-in-class encryption for our customers. For more details on TLS, please consult the following whitepaper: here

For additional background understanding of TLS (and a great resource for Exchange customers), see the following blog post.

HOW TO PREPARE

If you would like to prepare your environments for the upcoming TLS 1.2 change, there are three general scenarios you should review and, if applicable to your organization, adequately plan and prepare for.

Lync/Skype client connectivity to Office 365
On-premises server integration w/Office 365
3rd party integration with Skype for Business Online

We will cover each of these scenarios independently in the following sections.

Lync/Skype client connectivity to Office 365

Lync and Skype for Business clients may connect to Skype for Business Online, Exchange Online or both depending on where the account for these services are homed (online or on-premises). For example, if a Skype for Business client has their account homed in Lync Server 2013 on-premises, the client will still connect to Exchange Online if respective mailbox for the user is homed in Office 365.

As such, you need to follow the proceeding guidance if you fall into one of the following 3 client connectivity scenarios that has been flagged as ‘Preparation required”.

Mailbox Location	Lync/Skype account location	Preparation Required
Online	Online	Yes
On-premises	Online	Yes
Online	On-premises	Yes
On-premises	On-premises	No*

*although you are not required to prepare for client connectivity scenarios, you still may be required to remediate your on-premises infrastructure if you federate with any customers that reside in Skype for Business Online. This scenario will be covered further in the next section.

To prepare your organization for the client connectivity scenarios, you should ensure that your clients meet the following minimum versions.

Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 0.5023.1000 and higher
Skype for Business 2016 Desktop Client, MSI 0.4678.1000 and higher, including Basic
Skype for Business 2016 Click to Run Require the April 2018 Updates:
- Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
- Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
Skype for Business on Mac 16.15 and higher
Skype for Business for iOS and Android 6.19 and higher

The following clients and devices do not fully support TLS 1.2, and therefore, you must transition to a fully TLS 1.2 capable version in the list.

Lync for Mac 2011
Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone
Lync "MX" Windows Store client
All Lync 2010 clients
Lync Phone Edition. There is further guidance provided for these devices is located here.
Lync Room System (a.k.a. SRS v1) – LRS has reached end of support on October 9, 2018 and will not be updated to support TLS 1.2. Customers should consider migrating to SRS V2. See details here.

The following devices are actively working on supporting TLS 1.2 and are committed to providing support for TLS 1.2 before TLS 1.0/1.1 deprecation.

Skype Room System (a.k.a. 'SRSv2' or Rigel) and Surface Hub guidance -

Microsoft Teams Rooms (previously Skype Room System V2 SRS V2) support TLS 1.2 since December 2018. Room device should have Microsoft Teams Room app version 4.0.64.0. ( See Release Notes). The changes are backward and forward compatible. Surface Hub released TLS 1.2 support in May 2019.

TLS 1.2 support for Microsoft Teams Rooms and Surface Hub products also requires server side code changes:

Skype for Business Online server changes were made live in April 2019 and now support connecting Microsoft Teams Rooms & Surface Hub devices using TLS 1.2.
Skype for Business Server customers need a cumulative update install for them to use TLS 1.2 with Teams Rooms Systems and Surface Hub.
Skype for Business Server 2015 – This is CU9 that is already released in May 2019.
Skype for Business Server 2019- This is CU1 that was previously planned for April 2019 but is delayed to June 2019.

Skype for Business on-premise customer should not disable TLS 1.0/1.1 prior to installing specific CUs for SfB Server.

In addition to the preceding client remediation, it is important to ensure that the underlying OS and default browser supports TLS 1.2. For Microsoft OS support, you can consult our TLS whitepaper. Note: Windows 7 by default does not have TLS 1.2 enabled by default. The aforementioned whitepaper includes guidance on how to enable TLS 1.2 in Windows 7. The following link will provide you with guidance on TLS 1.2 capability for browsers. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

On-premises server integration w/Office 365

There are several hybrid topologies that are covered under this scenario. This includes any integration or Hybrid with Skype for Business Online or Exchange Online. For your reference, all the supported on-premises Skype to Exchange integration scenarios are covered here.

The following table provides an overview of the scenarios that require preparation and where to find the respective guidance.

Deployed on-premises	Integration/Hybrid with	Preparation Required	Guidance
Skype for Business Server or Lync Server on-premises	Skype for Business Online	Yes	This article
Skype for Business Server or Lync Server on-premises	Federation with other customers or partners in Office 365 (current or future)	Yes	This article
Skype for Business Server or Lync Server on-premises	Exchange Server	Yes	This article
Exchange Server on-premises	Skype for Business Online	Yes	Follow the guidance in the Exchange blog series.
Cloud Connector Edition (CCE)	Skype for Business Online	No	CCE already communicates with Skype for Business Online with TLS 1.2 only.
Skype for Business Server or Lync Server on-premises	Exchange Server on-premises	No. (ensure you do not federate with customers in Office 365 as described in the first scenario)	N/A

If your organization falls under the first four scenarios, you are required to upgrade your on-premises server environment to one of the following versions.

Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) and higher on Windows Server 2012 (with KB 3140245 or superseding update), 2012 R2 or 2016
In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on Windows Server 2008 R2, 2012 (with KB 3140245 or superseding update), or 2012 R2
Lync Server 2013 CU10 or higher. https://support.microsoft.com/en-us/help/2809243/updates-for-lync-server-2013. Any supported OS for Lync Server 2013 – 2008 R2 – 2012 R2; https://technet.microsoft.com/en-us/library/gg398588(v=ocs.15).aspx

If you are a customer that is running Lync Server 2010, we recommend that you upgrade to Skype for Business Server 2015 HF2 6.0.9319.516 or higher. Note: Hybrid or integration scenarios with Office Communications Server 2007 R2 or earlier are not supported.

For post CU6 HF2 steps required for SFB Server 2015 – please refer to https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/
Post CU10 steps required for Lync Server 2013 are exactly the same as SFB Server 2015.

If you want to confirm Skype for Business Server TLS 1.2 support has been properly configured please install On-Premises Diagnostics for Skype for Business Server and execute 'Check to see if TLS 1.0/1.1 deprecation is properly configured' diagnostic. For more details please refer to How to use OPD.

3rd Party integration with Skype for Business Online

Skype for Business Online provides several supported SDKs and APIs. If you are using a product from a 3^rd party vendor that integrates with the SDKs or APIs, then consult your vendor to ensure that it fully supports TLS 1.2. If you have written a custom in-house application that integrates with Skype for Business Online via these APIs and SDKs, then it is highly recommended that you follow the guidance in our TLS white paper. The white paper provides guidance to ensure your application is fully TLS 1.2 capable and provide guidance on how to validate through testing.

OTHER CONSIDERATIONS

Your organization’s environment may be comprised of various networking or security devices that may include; proxy servers and load balancers, or other networking components. Be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.

Updated Dec 22, 2021

Version 15.0

Pamela Arimoto

Microsoft

Joined September 29, 2016

View Profile

Skype for Business Blog

Follow this blog board to get notified when there's new activity

49 Comments

rovert506
Iron Contributor
Aug 03, 2018
I'll concede the point that the blog post (this one) is primarily about the PCI DSS 3.2 standards. However, I tend to view the PCI DSS 3.2 and the O365 enforcement as one in the same, because many customers are viewing it that way.

For 2010 hybrid, you've really got a few access methods for Hybrid:
Edge Servers to O365 (hybrid and federation)
PowerShell on FE's (for user moves to O365)
Client Access to O365 (S4BO)
Client Access to O365 (ExO)
Client Access to O365 (AzureAD)
Client/Server access to AD-FS

Assuming you've got a Windows Server OS with TLS 1.2 enabled today, you could examine Wireshark/NetMon/MessageAnalyzer for #1 and #2 above for your flows to O365 and determine what TLS protocol is being negotiated. If TLS 1.2 is used, then in theory, you don't have to do anything with on-premises server infrastructure and things will probably remain functional after 31-Oct. If TLS 1.2 is not used (even though the host OS has it enabled), then you have your answer. I actually don't have a 2010 lab to test this with, so I can't tell you authoritatively unfortunately.

Either way, with 2010 out of mainstream support (and the fact that many voice pieces in the hybrid topology now require a 2015 edge server and FE in order to function with all call flows), it likely is not the best approach to leave 2010 in place and a take a gamble.
Rob Kennedy
Copper Contributor
Aug 03, 2018
I would disagree that the article is clear on support for hybrid . The theme of the nexthop article is very much focused on disabling TLS 1.0/1.1 for the purposes of security and PCI compliance. I'm aware that O365 is already enabled for TLS 1.2, the issues is getting on prem infrastructure ready for TLS 1.2. The below KB article clearly states that TLS 1.2 has to be enabled and TLS 1.0/1.1 can remain enabled. I agree that the next shop states that Lync 2010 is out-of-scope of disabling but what it doesn't state is that Lync Server 2010 won't be supported for TLS 1.2 or Hybrid.

"Using TLS 1.2 with Office 365 does not mean you must have TLS 1.0/1.1 disabled in your environments by October 31, 2018. If parts of your environment require the use of TLS 1.0 and 1.1 on or after October 31, 2018, you can leave the older protocol versions enabled. However, TLS 1.2 will have to be enabled and used for communication with Office 365 to avoid any interruption in service."
https://support.microsoft.com/en-ae/help/4057306/preparing-for-tls-1-2-in-office-365
rovert506
Iron Contributor
Aug 03, 2018
Rob Kennedy - The Oct 31 date was never about enabling TLS 1.2, as TLS 1.2 is already enabled within Office365 and secured communications can succeed over that protocol version today if the client endpoint supports TLS 1.2 (otherwise it would succeed over TLS 1.1 or TLS 1.0). The Oct 31 date has always been about enforcing and requiring a minimum of TLS 1.2 for secured communications with Office365, which requires that TLS 1.0 and TLS 1.1 be disabled and restricted from TLS cipher negotiations.

https://support.microsoft.com/en-ae/help/4057306/preparing-for-tls-1-2-in-office-365

The https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/ explicitly states that Lync Server 2010 is out of scope and will not function in a TLS 1.2 enforced configuration, so the information has been publicly available since April 2018. If you've got hybrid established to Office365 via Lync Server 2010, then you absolutely need to get your topology updated to at a minimum Lync Server 2013 (ideally Skype for Business Server 2015) in order to keep hybrid functional once MSFT makes the changes on Oct 31.
Rob Kennedy
Copper Contributor
Aug 03, 2018
Thanks Corbin. The Nexthop article you reference discussed disabling TLS 1.0/1.1 rather than enabling TLS 1.2. Isn't the requirement for October 31 2018 to enable TLS 1.2? This article published yesterday appears to be the first announcement stating that Lync 2010 won't support TLS 1.2 and isn't supported for hybrid which doesn't leave a great deal of time to make alternate plans.
Corbin_Meek
Microsoft
Aug 02, 2018
Hi Rob Kennedy and Clayton Jay Martin - Lync Server 2010 is not in scope for TLS 1.0/1.1 disable support. Refer to: https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/

If you are still running an On-Premises Lync Server 2010 Hybrid with Skype for Business Online environment you will need to take steps to ensure connectivity beyond the deprecation date. That could include upgrading to a version of On-Premises server that does support TLS 1.0/1.1 disabling, or it could mean accelerating migration to 100% Online for your Lync/Skype for Business workloads.
Clayton Jay Martin
Brass Contributor
Aug 02, 2018
Pamela Arimoto Am I understanding correctly that Lync 2010 customers will not have a direct migration path to SfB online after October 31st?
Rob Kennedy
Copper Contributor
Aug 02, 2018
Can I ask for clarification that Lync 2010 Hybrid customers are "required" to upgrade to SfB Server 2015 prior to October 31 2018?
Alejandro Araujo Rajzner
Brass Contributor
Aug 02, 2018
wroot, as per https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365 :

If you have Windows 7 clients connected to Office 365, make sure that TLS 1.2 is the default secure protocols in WinHTTP in Windows. For more information see https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in.

So yes, there's something to be done in Windows 7, explained here https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

I believe Internet explorer 11 manually establishes the highest version of TLS as default (that's just my belief, have not contrast that yet), and as stated in the article "This update will not change the behavior of applications that are manually setting the secure protocols instead of pass the default flag." Referring with the default flag to WINHTTP_OPTION_SECURE_PROTOCOLS, for the DefaultSecureProtocols registry entry.
wroot
Silver Contributor
Aug 02, 2018
I have asked in the forums in March i think (when it was still planned to switch earlier) if we really need to do something about Windows 7. Didn't get 100% answer. But here it says that Windows 7 has no default support for TLS 1.2 (i know that, but IE11 works perfectly on Win7 and it supports TLS 1.2, so maybe if an app/browser has support it can work without changing anything on the OS). So, we MUST do something about this with Windows 7?