Forum Discussion
LPE Device Support
I'd personally be more concerned around the fact that the CX600 operating system (Windows CE) will no longer be patched. Should an exploit be discovered that compromises the CX devices you could have a pretty big botnet rather quickly.
We are in the process of replacing them, however that will take some time (around 3k devices and multiple locations). These phones are in their own containment zone and are now allowed internet access so I am not worried about that at this time.
I'm more concerned about TLS 1.0 support at the S4B 2019 server level.
TLS configurations are first and foremost, an SChannel configuration on the host operating system. S4B Server 2019 requires Windows Server 2019, which means that SSL/TLS versions supported by the OS are theoretically available for any apps running atop the host OS. For Windows Server 2019, TLS 1.0 is still enabled by default:
https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
Typically speaking, I've never seen an application such as Exchange or Lync or Skype, set SChannel settings on the host OS during any type of installation or upgrade. I would expect LPE to work against S4B Server 2019, unless the server-side application code has been restricted to support only TLS 1.2 for secured negotiations. I would be surprised if that is the case, but there's nothing precluding MSFT from doing so.
Note: I would also not be surprised if MSFT begins hardening releases of Windows 10/Windows Server 2019 to disable and/or remove the weaker protocols (TLS 1.0/1.1) at some point in the future. If that occurs, then you have no recourse since the host OS dictates what is available to the apps running atop it.
Looking further into the documentation, I've found the following:
Security note: To ensure the strongest cryptographic protocol is used, Skype for Business Server 2019 will offer TLS encryption protocols in the following order to clients: TLS 2.0, TLS 1.2. TLS is a critical aspect of Skype for Business Server 2019 and thus it is required in order to maintain a supported environment.
https://docs.microsoft.com/en-us/SkypeForBusiness/plan-your-deployment/security/encryption
Looks like TLS 1.0 will not be supported with Skype for Business Server 2019 and therefore neither will the LPE (Polycom CX600) phones, at least as it currently stands.
TLS 2.0 is not an actual protocol version in existence. The newest version available of TLS is 1.3, but that is still very much in draft form from a standards perspective. TLS 1.0, 1.1 and 1.2 are the most widely used standards.
Until I deploy a 2019 Standard Edition server and test to concretely confirm, I have a hard time believing a published article with very large inaccuracies.
