As you may have heard through the grape vine, TLS 1.0/1.1 will be deprecated starting October 31st, 2018. So what does that mean and why should you care? In this article we’ll discuss what this means for users of Lync/Skype for Business on-premises and Skype for Business Online and why TLS 1.2 will be mandatory going forward in Office 365. So, with all that said, let’s dive right in!
Background
Microsoft has been toying with us in terms of their TLS 1.0/1.1 deprecation date. Initially Microsoft had said they’d no longer be supporting TLS1.0/1.1 as of March 2018. However, due to continuous backlash from the Microsoft community regarding the very aggressive timeline, Microsoft has agreed to extend support for TLS 1.0/1.1 until October 31, 2018. So why are Microsoft pushing this so aggressively? Well as of right now, there are no known TLS 1.0 security vulnerabilities within Microsoft’s TLS 1.0 implementation. However, Microsoft has stated due to the potential for future protocol downgrade attacks and other TLS vulnerabilities, they have made the executive decision to discontinue the support of TLS 1.0/1.1 in the Office 365 environment. These vulnerabilities can include (but are not limited to) Beast, POODLE, Crime and Heartbleed. This applies to both client-server and browser-server combinations.
Note: Using TLS 1.2 with Office 365 does not mean you must have TLS 1.0/1.1 disabled in your environments by October 31, 2018. If parts of your environment require the use of TLS 1.0 and 1.1 on or after October 31, 2018, you can leave the older protocol versions enabled. However, TLS 1.2 will have to be enabled and used for communication with Office 365 to avoid any interruption in service.
Preparation
In order to best prepare for this upcoming TLS 1.2 change to your Office 365 environment, there are 3 scenarios that you should review and adequately plan and prepare for.
- Lync/Skype client connectivity to Office 365
- On-premises server integration w/Office 365
- 3rd party integration with Skype for Business Online
Now let’s discuss what each of these scenarios in a little more detail.
Lync/Skype client connectivity to Office 365
Lync and Skype for Business clients may connect to Skype for Business Online, Exchange Online or both depending on where the account for these services are homed (online or on-premises). With that said, you should refer to the table below regarding the 3 different connectivity scenarios to determine if preparation will be required.
Mailbox Location | Lync/Skype account location | Preparation Required |
---|---|---|
Online | Online | Yes |
On-premises | Online | Yes |
Online | On-premises | Yes |
On-premises | On-premises | No* |
*although you are not required to prepare for client connectivity scenarios, you still may be required to remediate your on-premises infrastructure if you federate with any customers that reside in Skype for Business Online. This scenario will be covered further in the next section.
You must also ensure that you have the following minimum client versions:
- Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 0.5023.1000 and higher
- Skype for Business 2016 Desktop Client, MSI 0.4678.1000 and higher, including Basic
- Skype for Business 2016 Click to Run Require the April 2018 Updates:
- Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
- Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
- Skype for Business on Mac 16.15 and higher
- Skype for Business for iOS and Android 6.19 and higher
- Skype Web App 2015 CU6 HF2 and higher (ships with Server)
In addition, please note the fully supported and tested servers:
- Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) and higher on
- Windows Server 2012 (with KB 3140245 or superseding update), 2012 R2 or 2016
- In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on
- Windows Server 2008 R2, 2012 (with KB 3140245 or superseding update), or 2012 R2
- Exchange Connectivity and Outlook Web App with Exchange Server 2010 SP3 RU19 or higher, guidance here
- Survivable Branch Appliance (SBA) with Sfb Server 2015 CU6 HF2 or higher (it is the vendor’s responsibility to package the appropriate CU and provide it, be sure to confirm with your vendor that the updates have been made available for your appliance)
- Survivable Branch Server (SBS) with SfB Server 2015 CU6 HF2 or higher
- Lync Server 2013 Edge Role Only** – (More on this below)
**Lync Server 2013 now supports TLS 1.2 with the July, 2018 Cumulative Update, a.k.a. “CU10”. According to Microsoft, “we are providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios. This does not mean, however, that we support disabling TLS 1.0 or 1.1 on Lync Server 2013. In fact, doing so will render Lync Server 2013 nonoperational. Lync Server 2013 (all roles except Edge) takes a dependency on Windows Fabric version 1.0. With that said, Windows Fabric 1.0 does not support TLS 1.2 and therefore it remains unsupported to disable TLS 1.0 or 1.1 on all roles of Lync Server 2013 except Edge.“
Please be aware that not all devices will support TLS 1.2 at this time, but are currently being review and Microsoft has indicated that they will be providing guidance on this at a later time. You should check back regularly regarding TLS 1.2 support for the following devices:
- Lync Room System (LRS/SRSv1)
- Skype Room System (a.k.a. ‘SRSv2’ or Rigel)
- Surface Hub
- Call Quality Dashboard (CQD)** – More on this below
- Cloud Connector Edition (CCE)
** If you plan on installing an on-premises deployment of CQD, then this will be dependent on TLS 1.0 for first time installs. There is testing being done for a fix, so in the meantime it is recommended that if you are installing CQD on-premises that you should complete the installation before disabling TLS 1.0.
Please also make note of the following products that are not supported and considered out of scope:
- Lync Server 2013** – (Exceptions mentioned above)
- Lync Server 2010
- Windows Server 2008 and lower
- Lync for Mac 2011
- Lync 2013 for Mobile – iOS, iPad, Android or Windows Phone
- Lync “MX” Windows Store client
- All Lync 2010 clients
- Lync Phone Edition – updated guidance here.
- 2013 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)
Lastly, as mentioned with the preceding client remediation, you must ensure that the underlying Operating System (OS) and default browser support TLS 1.2 for Microsoft OS support, you can consult Microsoft’s whitepaper here.
Note: Windows 7 does not have TLS 1.2 enabled by default. This means that you will need to enable this for all Windows 7 users if not done already (guidance on this is included in the whitepaper above). Also, the following link will provide you with guidance on TLS 1.2 capability for browsers. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
On-premises server integration with Office 365
There are several supported hybrid topologies that are covered with this scenario. This would include integration or Hybrid with: Skype for Business Online or Exchange Online. For a list of all supported on-premises Skype for Business to Exchange integration scenarios, please refer to the link here. Please note, Lync 2010 hybrid scenarios have not and have never been in scope for TLS 1.2 support. Thus, you must plan accordingly to get to a supported hybrid topology (i.e. Lync 2013 hybrid, Skype for Business 2015 hybrid). The table below provides an overview of scenarios where preparation is required as well as where to find additional guidance on said deployment and integrations types.
Deployed on-premises | Integration/Hybrid with | Preparation Required | Guidance |
---|---|---|---|
Skype for Business Server or Lync Server on-premises | Skype for Business Online | Yes | This article |
Skype for Business Server or Lync Server on-premises | Federation with other customers or partners in Office 365 (current or future) | Yes | This article |
Skype for Business Server or Lync Server on-premises | No | N/A | |
Skype for Business Server or Lync Server on-premises | Exchange Server | Yes | This article |
Exchange Server on-premises | Skype for Business Online | Yes | Follow the guidance in the Exchange blog series. |
Cloud Connector Edition (CCE) | Skype for Business Online | No | No. (ensure you do not federate with customers in Office 365 or integrate with PIC as describe in the first scenario) |
Skype for Business Server or Lync Server on-premises | Skype for Business Online | No. (ensure you do not federate with customers in Office 365 or integrate with PIC as describe in the first scenario) | N/A |
If you fall under one of the first 4 scenarios outlined above, you are required to update your on-premises server environment to one of the following versions:
- Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) and higher on Windows Server 2012 (with KB 3140245 or superseding update), 2012 R2 or 2016
- In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on Windows Server 2008 R2, 2012 (with KB 3140245 or superseding update), or 2012 R2
- Lync Server 2013 CU10 or higher. https://support.microsoft.com/en-us/help/2809243/updates-for-lync-server-2013. Any supported OS for Lync Server 2013 – 2008 R2 – 2012 R2; https://technet.microsoft.com/en-us/library/gg398588(v=ocs.15).aspx
As mentioned earlier, Lync 2010 was never part of Microsoft’s scope to support TLS 1.2 thus if you have a Lync 2010 environment it is recommended you upgrade to Skype for Business Server 2015 HF2 6.0.9319.516 or higher. Hybrid or integration scenarios with Office Communications Server 2007 R2 or earlier are not supported.
- For post CU6 HF2 steps required for SFB Server 2015 – please refer to https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-se…
Post CU10 steps required for Lync Server 2013 are exactly the same as SFB Server 2015.
3rd Party Integration with Skype for Business Online
For those of you not already aware, Microsoft has a plethora of supported SDK’s and API’s that you can find here. With that said, you must also consider that some of these SDK’s and API’s might not be able to support TLS 1.2. Microsoft recommends that you consult your 3rd party vendor to ensure that the SDK or API integrates fully with TLS 1.2. However, if you have developed your own application in-house, Microsoft highly recommends that you follow the guidance in their TLS white paper. This white paper will provide you guidance to ensure your in-house application is capable to provide TLS 1.2 support through validation and testing methods.
Final Considerations
Lastly, it is highly likely that your environment is comprised of various types of security and networking devices. This may include (but is not limited to):
- Proxy/Reverse Proxy servers
- Load balancers
- 3PIP phones
- Video Conferencing devices
- SBC
- SBA/SBS
For a more in-depth overview on this topic including how to update your existing topology as well as advanced deployment scenarios, I’d highly recommend checking out the NextHop Blog series.