Disabling TLS 1.0/1.1 in Skype for Business Server 2015: Part 1

First published on TECHNET on Apr 18, 2018
May 16, 2019: Updates for SRSv2 Support for Skype for Business Server 2015, 2019

March 29, 2019: Updated information for Lync Room Systems (SRSv1)

August 8, 2018: Important Update to Lync Server 2013 Edge Role Supportability for TLS Disable

August 2, 2018: Clarified Support for SBA and SBS

May 24, 2018: Added In-place Upgrade scenarios to Supported; made changes to Pre-requisites and TLS Disable reg files based on additional validation testing; please review Parts 1 & 2 carefully as the deployment steps have changed.

Announcing Support for Disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises

We are pleased to announce supportability for disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises.  In this blog series we'll cover the main drivers for disabling older TLS protocols in your On-Premises environment, what is in-scope, and out, for Supportability, and the steps required to disable TLS 1.0 and 1.1.  This blog post will serve as the table of contents and will be updated as we publish additional guidance.  This information is authoritative and should be considered official Microsoft documentation from the Skype for Business Product Group.

Note that we are not covering Office 365 in this series of blog posts with the exception of preparing your On-Premises environment to communicate with Office 365 in Hybrid or Federation scenarios once TLS 1.0 and 1.1 are deprecated.  For more information see Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business.

Also note we have not made any changes to our Pseudo-TLS implementation.  Pseudo-TLS is not impacted by disabling TLS 1.0/1.1 on Skype for Business Servers and an in-depth discussion of MS-TURN Pseudo-TLS is beyond the scope of this blog series.  However, all previous guidance still applies - some HTTP proxies or firewalls may interfere with the MS-TURN protocol and prevent Lync/Skype for Business clients and servers from functioning properly.  In releasing support for disabling TLS 1.0/1.1 in your Skype for Business Server On-Premises environments we are not suggesting you begin actively monitoring and blocking MS-TURN (Lync/Skype) Pseudo-TLS on HTTP proxies and firewalls, in fact this practice remains unsupported.

Blogs in this Series

• Part 1: Introduction and Scope (this blog) 

• Part 2: How-to Update an Existing Topology 

• Part 3: Advanced Deployment Scenarios

Introduction

The purpose of this blog series is to provide the necessary guidance for you to prepare for and implement disabling TLS 1.0 and 1.1 in your environments.  This process requires extensive planning and preparation.  Please carefully review all of the information in this blog series as you make your plan to disable TLS 1.0 and 1.1 if required for your organization.  Note that there are many external dependencies and connectivity that could be impacted by disabling TLS 1.0/1.1 so extensive planning and testing is warranted.

Background

The primary drivers for providing TLS 1.0 and 1.1 disable support for Skype for Business Server On-Premises are Payment Card Industry (PCI) Security Standards Council and Federal Information Processing Standards requirements.  More information for PCI requirements can be found here .  Microsoft cannot provide guidance on whether or not your organization is required to adhere to these or other requirements.  You must determine if it is required for you to disable TLS 1.0 and/or 1.1 in your environments.

Microsoft has produced a whitepaper on TLS available here , and we also recommend the background reading available over at the Exchange blog .

Supportability Scope

Scope refers to supportability boundaries. For Skype for Business Server On-Premises, in scope means we fully support and have tested disabling of TLS 1.0 and 1.1 for the listed product versions.  Currently being investigated means just that; we are actively investigating bringing these products into scope for TLS disable support.  Out of scope means these product versions do not support disabling TLS 1.0 or 1.1 and will not work, with noted exceptions.

Fully tested and supported Servers:

• Skype for Business Server 2015 CU6 HF2 6.0.9319.516 ( March 2018 update ) and higher on
  
  
  • Windows Server 2012 (with KB 3140245 or superseding update), 2012 R2 or 2016
  
  In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on
  
  
  • Windows Server 2008 R2, 2012 (with KB 3140245 or superseding update), or 2012 R2

• Exchange Connectivity and Outlook Web App with Exchange Server 2010 SP3 RU19 or higher, guidance here

• Survivable Branch Appliance (SBA) with Sfb Server 2015 CU6 HF2 or higher (it is the vendor's responsibility to package the appropriate CU and provide it, be sure to confirm with your vendor that the updates have been made available for your appliance)

• Survivable Branch Server (SBS) with SfB Server 2015 CU6 HF2 or higher

• Lync Server 2013 Edge Role Only**

Fully tested and supported Clients:

• Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher

• Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher , including Basic

• Skype for Business 2016 Click to Run Require the April 2018 Updates :
  
  
  • Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
  
  
  • Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher

• Skype for Business on Mac 16.15 and higher

• Skype for Business for iOS and Android 6.19 and higher

• Skype Web App 2015 CU6 HF2 and higher (ships with Server)

• Skype Room Systems v2 (a.k.a. SRSv2 or Microsoft Teams Rooms) version 4.0.64.0 and higher with Skype for Business Server 2015 May 2019 Cumulative Update
• Surface Hub v1 with 
  May 28, 2019—update for Team edition based on KB4499162*  (OS Build 15063.1835)
  *Requires Skype for Business Server 2015 May 2019 Update or Skype for Business Server July 2019 Update (CU1)
• Call Quality Dashboard version 9319.17 and higher

Out-of-Scope

Except where noted, the following products are not in scope for TLS 1.0/1.1 disable support and will not function in an environment where TLS 1.0 and 1.1 have been disabled.  What this means: if you still utilize out-of-scope servers or clients you must update or remove these if you need to disable TLS 1.0/1.1 anywhere in your Skype for Business Server on-premises deployment.

• Lync Server 2013**

• Lync Server 2010

• Windows Server 2008 and lower

• Lync for Mac 2011

• Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone

• Skype for Business for Windows Phone - retired 

• Lync "MX" Windows Store client

• All Lync 2010 clients

• Lync Phone Edition - updated guidance here .

• 2013 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)

• Cloud Connector Edition (CCE)***

• Lync Room System (a.k.a. SRSv1) - updated guidance here .

Exceptions

Call Quality Dashboard:

Versions of On-Premises Call Quality Dashboard prior to 9319.31 have a dependency on TLS 1.0 during new install (first time installing into your On-Premises environments).  This is now fixed, refer to Call Quality Dashboard installation fails if TLS 1.0/1.1 isn't enabled correctly or disabled on Skyp...

**Lync Server 2013:

Lync Server 2013 now supports TLS 1.2 with the July, 2018 Cumulative Update , a.k.a. "CU10".  We're providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios.  This does not mean, however, that we support disabling TLS 1.0 or 1.1 on Lync Server 2013.  In fact, doing so will render Lync Server 2013 nonoperational.

Lync Server 2013 ( all roles except Edge ) takes a dependency on Windows Fabric version 1.0.  In the design phase for Lync Server 2013, Windows Fabric 1.0 was chosen for its compelling and new distributed architecture to provide replication, high availability and fault tolerance.  Over time, both Skype for Business Server and Windows Fabric have greatly improved this joint architecture with significant re-design in subsequent versions.  Current Skype for Business 2015 Server uses Windows Fabric 3.0, for example.

Unfortunately, Windows Fabric 1.0 does not support TLS 1.2 .  Therefore it remains unsupported to disable TLS 1.0 or 1.1 on all roles of Lync Server 2013 except Edge.

We are now providing support for disabling TLS 1.0 and 1.1 on Lync Server 2013 Edge role only .  Because Edge role does not have a dependency on Windows Fabric 1.0, this means you can disable TLS 1.0 and 1.1 on your 2013 Edge servers and they will continue to function properly.  For example it is supported to disable TLS 1.0 and 1.1 on Lync Server 2013 Edge servers with Lync Server 2013 Front End pools, as long as all pre-requisites are met, especially Lync Server 2013 CU10.  All pre-requisites and configuration steps that apply to Skype for Business Server 2015 in this blog series also apply to 2013 Edge.   Follow the same instructions for disabling TLS 1.0 and 1.1 on Lync 2013 Edge.

If your organization is required to disable TLS 1.0 and 1.1 on an unsupported server version/role, we recommend you begin your planning process now with the possibility you may have to In-place upgrade or Side-by-Side migrate (new pools, move users) to Skype for Business Server 2015 or higher.  Or you may want to accelerate migration to Skype for Business Online.

***Cloud Connector Edition (CCE):

CCE currently works with and supports TLS 1.2 when connecting to Skype for Business Online.  However, it remains unsupported to disable TLS 1.0 and 1.1 on CCE systems.  Further, attempting to do so will render CCE systems inoperable.

3rd Party Devices

On 3rd party devices such as 3PIP phones, Video conferencing, Reverse Proxies and Load Balancers, be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.

Federation Considerations when disabling TLS 1.0/1.1 on Edge Servers

You must carefully plan for and consider the impact of disabling TLS 1.0/1.1 on your Edge servers.  Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to Federate with your organization.

You may opt to keep TLS 1.0/1.1 enabled on your Edge servers to maintain backward compatibility with non-patched (SfB 2015, Lync 2013) or older (2010) external systems.

Further, we highly recommend reading Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business. If you operate a Hybrid Lync or Skype for Business Server organization or Federate with Office 365 Skype for Business Online customers, this may impact you.

Microsoft cannot provide advice or recommendations on whether or not your Edge network (or any network) falls under PCI standard, that must be determined by the individual company.

Skype for Business Online is capable of TLS 1.2 today, so no impact to Hybrid/Federation with Online is expected.

PIC (Public IM Connectivity) to Skype Consumer service: We do not expect disabling TLS 1.0/1.1 to impact Skype Connectivity ; Microsoft PIC Gateways are already TLS 1.2 capable.

In the next post we'll detail all the prerequisites and necessary steps to disable TLS 1.0/1.1 in your Skype for Business Server 2015 environment.