First published on TECHNET on Apr 18, 2018
May 16, 2019: Updates for SRSv2 Support for Skype for Business Server 2015, 2019
March 29, 2019: Updated information for Lync Room Systems (SRSv1)
August 8, 2018: Important Update to Lync Server 2013 Edge Role Supportability for TLS Disable
August 2, 2018: Clarified Support for SBA and SBS
May 24, 2018: Added In-place Upgrade scenarios to Supported; made changes to Pre-requisites and TLS Disable reg files based on additional validation testing; please review Parts 1 & 2 carefully as the deployment steps have changed.
We are pleased to announce supportability for disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises. In this blog series we'll cover the main drivers for disabling older TLS protocols in your On-Premises environment, what is in-scope, and out, for Supportability, and the steps required to disable TLS 1.0 and 1.1. This blog post will serve as the table of contents and will be updated as we publish additional guidance. This information is authoritative and should be considered official Microsoft documentation from the Skype for Business Product Group.
Note that we are not covering Office 365 in this series of blog posts with the exception of preparing your On-Premises environment to communicate with Office 365 in Hybrid or Federation scenarios once TLS 1.0 and 1.1 are deprecated. For more information see Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business.
Also note we have not made any changes to our Pseudo-TLS implementation. Pseudo-TLS is not impacted by disabling TLS 1.0/1.1 on Skype for Business Servers and an in-depth discussion of MS-TURN Pseudo-TLS is beyond the scope of this blog series. However, all previous guidance still applies - some HTTP proxies or firewalls may interfere with the MS-TURN protocol and prevent Lync/Skype for Business clients and servers from functioning properly. In releasing support for disabling TLS 1.0/1.1 in your Skype for Business Server On-Premises environments we are not suggesting you begin actively monitoring and blocking MS-TURN (Lync/Skype) Pseudo-TLS on HTTP proxies and firewalls, in fact this practice remains unsupported.
The purpose of this blog series is to provide the necessary guidance for you to prepare for and implement disabling TLS 1.0 and 1.1 in your environments. This process requires extensive planning and preparation. Please carefully review all of the information in this blog series as you make your plan to disable TLS 1.0 and 1.1 if required for your organization. Note that there are many external dependencies and connectivity that could be impacted by disabling TLS 1.0/1.1 so extensive planning and testing is warranted.
The primary drivers for providing TLS 1.0 and 1.1 disable support for Skype for Business Server On-Premises are Payment Card Industry (PCI) Security Standards Council and Federal Information Processing Standards requirements. More information for PCI requirements can be found here . Microsoft cannot provide guidance on whether or not your organization is required to adhere to these or other requirements. You must determine if it is required for you to disable TLS 1.0 and/or 1.1 in your environments.
Microsoft has produced a whitepaper on TLS available here , and we also recommend the background reading available over at the Exchange blog .
Scope refers to supportability boundaries. For Skype for Business Server On-Premises, in scope means we fully support and have tested disabling of TLS 1.0 and 1.1 for the listed product versions. Currently being investigated means just that; we are actively investigating bringing these products into scope for TLS disable support. Out of scope means these product versions do not support disabling TLS 1.0 or 1.1 and will not work, with noted exceptions.
Except where noted, the following products are not in scope for TLS 1.0/1.1 disable support and will not function in an environment where TLS 1.0 and 1.1 have been disabled. What this means: if you still utilize out-of-scope servers or clients you must update or remove these if you need to disable TLS 1.0/1.1 anywhere in your Skype for Business Server on-premises deployment.
Lync Server 2013 now supports TLS 1.2 with the July, 2018 Cumulative Update , a.k.a. "CU10". We're providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios. This does not mean, however, that we support disabling TLS 1.0 or 1.1 on Lync Server 2013. In fact, doing so will render Lync Server 2013 nonoperational.
Lync Server 2013 ( all roles except Edge ) takes a dependency on Windows Fabric version 1.0. In the design phase for Lync Server 2013, Windows Fabric 1.0 was chosen for its compelling and new distributed architecture to provide replication, high availability and fault tolerance. Over time, both Skype for Business Server and Windows Fabric have greatly improved this joint architecture with significant re-design in subsequent versions. Current Skype for Business 2015 Server uses Windows Fabric 3.0, for example.
Unfortunately, Windows Fabric 1.0 does not support TLS 1.2 . Therefore it remains unsupported to disable TLS 1.0 or 1.1 on all roles of Lync Server 2013 except Edge.
We are now providing support for disabling TLS 1.0 and 1.1 on Lync Server 2013 Edge role only . Because Edge role does not have a dependency on Windows Fabric 1.0, this means you can disable TLS 1.0 and 1.1 on your 2013 Edge servers and they will continue to function properly. For example it is supported to disable TLS 1.0 and 1.1 on Lync Server 2013 Edge servers with Lync Server 2013 Front End pools, as long as all pre-requisites are met, especially Lync Server 2013 CU10. All pre-requisites and configuration steps that apply to Skype for Business Server 2015 in this blog series also apply to 2013 Edge. Follow the same instructions for disabling TLS 1.0 and 1.1 on Lync 2013 Edge.
If your organization is required to disable TLS 1.0 and 1.1 on an unsupported server version/role, we recommend you begin your planning process now with the possibility you may have to In-place upgrade or Side-by-Side migrate (new pools, move users) to Skype for Business Server 2015 or higher. Or you may want to accelerate migration to Skype for Business Online.
CCE currently works with and supports TLS 1.2 when connecting to Skype for Business Online. However, it remains unsupported to disable TLS 1.0 and 1.1 on CCE systems. Further, attempting to do so will render CCE systems inoperable.
On 3rd party devices such as 3PIP phones, Video conferencing, Reverse Proxies and Load Balancers, be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.
You must carefully plan for and consider the impact of disabling TLS 1.0/1.1 on your Edge servers. Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to Federate with your organization.
You may opt to keep TLS 1.0/1.1 enabled on your Edge servers to maintain backward compatibility with non-patched (SfB 2015, Lync 2013) or older (2010) external systems.
Further, we highly recommend reading Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business. If you operate a Hybrid Lync or Skype for Business Server organization or Federate with Office 365 Skype for Business Online customers, this may impact you.
Microsoft cannot provide advice or recommendations on whether or not your Edge network (or any network) falls under PCI standard, that must be determined by the individual company.
Skype for Business Online is capable of TLS 1.2 today, so no impact to Hybrid/Federation with Online is expected.
PIC (Public IM Connectivity) to Skype Consumer service: We do not expect disabling TLS 1.0/1.1 to impact Skype Connectivity ; Microsoft PIC Gateways are already TLS 1.2 capable.
In the next post we'll detail all the prerequisites and necessary steps to disable TLS 1.0/1.1 in your Skype for Business Server 2015 environment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.