Forum Discussion
LPE Device Support
15 Replies
- And LPE does not support TLS 1.2. So they cannot be used with SFB Online and you should not start using it with a brand new SFB2019 Server and lower the TLS security for that old phones.
- LPE devices certainly can be used against S4BO - and have been capable for a long while - as long as the devices are running the latest firmware. TLS 1.2 is not strictly enforced by Office 365 at the moment, so any device supporting a minimum of TLS 1.0 with the correct ciphers and suites will work, LPE included. MSFT backtracked their decision to enforce TLS 1.2, so TLS 1.0 and TLS 1.1 remain in place for the moment.
That being said, the announcement to deprecate certain ciphers and suites in S4BO by Feb 2019 will officially give LPE the death knell because there won't be a common cipher between LPE and Office 365, even with TLS 1.0/1.1 remaining available for the moment. As a result, if you've got on premises LPEs attempting to connect to Office 365 (think Azure AD or Exchange Online or Skype for Business Online) then those connections will not succeed. LPE truly is standing at death's door.
I also don't agree that allowing LPE "weakens" security just because TLS 1.0 is allowed, especially in an on premises environment. There are many arguments that could be made on either side, but an outright statement of "insecure" is far too simplified and doesn't consider all the potential variables of that equation.
Rahul Gupta (PM)Microsoft
Vitaliy, LPE is out of Mainstream Support (https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20Lync%20Phone%20Edition) , so we aren’t doing any work on it for anything. If the phone works, it work. If it doesn’t, it doesn’t.
I'd personally be more concerned around the fact that the CX600 operating system (Windows CE) will no longer be patched. Should an exploit be discovered that compromises the CX devices you could have a pretty big botnet rather quickly.
We are in the process of replacing them, however that will take some time (around 3k devices and multiple locations). These phones are in their own containment zone and are now allowed internet access so I am not worried about that at this time.
I'm more concerned about TLS 1.0 support at the S4B 2019 server level.
TLS configurations are first and foremost, an SChannel configuration on the host operating system. S4B Server 2019 requires Windows Server 2019, which means that SSL/TLS versions supported by the OS are theoretically available for any apps running atop the host OS. For Windows Server 2019, TLS 1.0 is still enabled by default:
https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
Typically speaking, I've never seen an application such as Exchange or Lync or Skype, set SChannel settings on the host OS during any type of installation or upgrade. I would expect LPE to work against S4B Server 2019, unless the server-side application code has been restricted to support only TLS 1.2 for secured negotiations. I would be surprised if that is the case, but there's nothing precluding MSFT from doing so.
Note: I would also not be surprised if MSFT begins hardening releases of Windows 10/Windows Server 2019 to disable and/or remove the weaker protocols (TLS 1.0/1.1) at some point in the future. If that occurs, then you have no recourse since the host OS dictates what is available to the apps running atop it.
