August 8, 2018: Important Update to Lync Server 2013 Edge Role Supportability for TLS Disable
August 2, 2018: Clarified Support for SBA and SBS
May 24, 2018: Added In-place Upgrade scenarios to Supported; made changes to Pre-requisites and TLS Disable reg files based on additional validation testing; please review Parts 1 & 2 carefully as the deployment steps have changed.
Announcing Support for Disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises
We are pleased to announce supportability for disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises. In this blog series we'll cover the main drivers for disabling older TLS protocols in your On-Premises environment, what is in-scope, and out, for Supportability, and the steps required to disable TLS 1.0 and 1.1. This blog post will serve as the table of contents and will be updated as we publish additional guidance. This information is authoritative and should be considered official Microsoft documentation from the Skype for Business Product Group.
Note that we are not covering Office 365 in this series of blog posts with the exception of preparing your On-Premises environment to communicate with Office 365 in Hybrid or Federation scenarios once TLS 1.0 and 1.1 are deprecated. For more information see Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business.
Also note we have not made any changes to our Pseudo-TLS implementation. Pseudo-TLS is not impacted by disabling TLS 1.0/1.1 on Skype for Business Servers and an in-depth discussion of MS-TURN Pseudo-TLS is beyond the scope of this blog series. However, all previous guidance still applies - some HTTP proxies or firewalls may interfere with the MS-TURN protocol and prevent Lync/Skype for Business clients and servers from functioning properly. In releasing support for disabling TLS 1.0/1.1 in your Skype for Business Server On-Premises environments we are not suggesting you begin actively monitoring and blocking MS-TURN (Lync/Skype) Pseudo-TLS on HTTP proxies and firewalls, in fact this practice remains unsupported.
Blogs in this Series
- Part 1: Introduction and Scope (this blog)
- Part 2: How-to Update an Existing Topology
- Part 3: Advanced Deployment Scenarios
The purpose of this blog series is to provide the necessary guidance for you to prepare for and implement disabling TLS 1.0 and 1.1 in your environments. This process requires extensive planning and preparation. Please carefully review all of the information in this blog series as you make your plan to disable TLS 1.0 and 1.1 if required for your organization. Note that there are many external dependencies and connectivity that could be impacted by disabling TLS 1.0/1.1 so extensive planning and testing is warranted.
The primary drivers for providing TLS 1.0 and 1.1 disable support for Skype for Business Server On-Premises are Payment Card Industry (PCI) Security Standards Council and Federal Information Processing Standards requirements. More information for PCI requirements can be found here. Microsoft cannot provide guidance on whether or not your organization is required to adhere to these or other requirements. You must determine if it is required for you to disable TLS 1.0 and/or 1.1 in your environments.
Scope refers to supportability boundaries. For Skype for Business Server On-Premises, in scope means we fully support and have tested disabling of TLS 1.0 and 1.1 for the listed product versions. Currently being investigated means just that; we are actively investigating bringing these products into scope for TLS disable support. Out of scope means these product versions do not support disabling TLS 1.0 or 1.1 and will not work, with noted exceptions.
Fully tested and supported Servers:
- Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) and higher on
- Windows Server 2012 (with KB 3140245 or superseding update), 2012 R2 or 2016
- In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on
- Windows Server 2008 R2, 2012 (with KB 3140245 or superseding update), or 2012 R2
- Exchange Connectivity and Outlook Web App with Exchange Server 2010 SP3 RU19 or higher, guidance here
- Survivable Branch Appliance (SBA) with Sfb Server 2015 CU6 HF2 or higher (it is the vendor's responsibility to package the appropriate CU and provide it, be sure to confirm with your vendor that the updates have been made available for your appliance)
- Survivable Branch Server (SBS) with SfB Server 2015 CU6 HF2 or higher
- Lync Server 2013 Edge Role Only**
Fully tested and supported Clients:
- Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher
- Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher, including Basic
- Skype for Business 2016 Click to Run Require the April 2018 Updates:
- Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
- Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
- Skype for Business on Mac 16.15 and higher
- Skype for Business for iOS and Android 6.19 and higher
- Skype Web App 2015 CU6 HF2 and higher (ships with Server)
Currently being investigated, check back often for updates:
- Lync Room System (a.k.a. SRSv1)
- Skype Room System (a.k.a. 'SRSv2' or Rigel)
- Surface Hub
- Call Quality Dashboard (new install after TLS 1.0, 1.1 have been disabled, see below)*
Except where noted, the following products are not in scope for TLS 1.0/1.1 disable support and will not function in an environment where TLS 1.0 and 1.1 have been disabled. What this means: if you still utilize out-of-scope servers or clients you must update or remove these if you need to disable TLS 1.0/1.1 anywhere in your Skype for Business Server on-premises deployment.
- Lync Server 2013**
- Lync Server 2010
- Windows Server 2008 and lower
- Lync for Mac 2011
- Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone
- Lync "MX" Windows Store client
- All Lync 2010 clients
- Lync Phone Edition - updated guidance here.
- 2013 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)
- Cloud Connector Edition (CCE)***
*Call Quality Dashboard:
On-Premises Call Quality Dashboard currently has a dependency on TLS 1.0 during new install (first time installing into your On-Premises environments). We are currently investigating this issue and plan to release a fix in the near future. If you are planning to install CQD and also disable TLS 1.0, we recommend you complete CQD installation first, then proceed with TLS 1.0 disabling.
**Lync Server 2013:
Lync Server 2013 now supports TLS 1.2 with the July, 2018 Cumulative Update, a.k.a. "CU10". We're providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios. This does not mean, however, that we support disabling TLS 1.0 or 1.1 on Lync Server 2013. In fact, doing so will render Lync Server 2013 nonoperational.
Lync Server 2013 (all roles except Edge) takes a dependency on Windows Fabric version 1.0. In the design phase for Lync Server 2013, Windows Fabric 1.0 was chosen for its compelling and new distributed architecture to provide replication, high availability and fault tolerance. Over time, both Skype for Business Server and Windows Fabric have greatly improved this joint architecture with significant re-design in subsequent versions. Current Skype for Business 2015 Server uses Windows Fabric 3.0, for example.
Unfortunately, Windows Fabric 1.0 does not support TLS 1.2. Therefore it remains unsupported to disable TLS 1.0 or 1.1 on all roles of Lync Server 2013 except Edge.
We are now providing support for disabling TLS 1.0 and 1.1 on Lync Server 2013 Edge role only. Because Edge role does not have a dependency on Windows Fabric 1.0, this means you can disable TLS 1.0 and 1.1 on your 2013 Edge servers and they will continue to function properly. For example it is supported to disable TLS 1.0 and 1.1 on Lync Server 2013 Edge servers with Lync Server 2013 Front End pools, as long as all pre-requisites are met, especially Lync Server 2013 CU10. All pre-requisites and configuration steps that apply to Skype for Business Server 2015 in this blog series also apply to 2013 Edge. Follow the same instructions for disabling TLS 1.0 and 1.1 on Lync 2013 Edge.
If your organization is required to disable TLS 1.0 and 1.1 on an unsupported server version/role, we recommend you begin your planning process now with the possibility you may have to In-place upgrade or Side-by-Side migrate (new pools, move users) to Skype for Business Server 2015 or higher. Or you may want to accelerate migration to Skype for Business Online.
***Cloud Connector Edition (CCE):
CCE currently works with and supports TLS 1.2 when connecting to Skype for Business Online. However, it remains unsupported to disable TLS 1.0 and 1.1 on CCE systems. Further, attempting to do so will render CCE systems inoperable.
3rd Party Devices
On 3rd party devices such as 3PIP phones, Video conferencing, Reverse Proxies and Load Balancers, be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.
Federation Considerations when disabling TLS 1.0/1.1 on Edge Servers
You must carefully plan for and consider the impact of disabling TLS 1.0/1.1 on your Edge servers. Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to Federate with your organization.
You may opt to keep TLS 1.0/1.1 enabled on your Edge servers to maintain backward compatibility with non-patched (SfB 2015, Lync 2013) or older (2010) external systems.
Further, we highly recommend reading Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business. If you operate a Hybrid Lync or Skype for Business Server organization or Federate with Office 365 Skype for Business Online customers, this may impact you.
Microsoft cannot provide advice or recommendations on whether or not your Edge network (or any network) falls under PCI standard, that must be determined by the individual company.
Skype for Business Online is capable of TLS 1.2 today, so no impact to Hybrid/Federation with Online is expected.
PIC (Public IM Connectivity) to Skype Consumer service: We do not expect disabling TLS 1.0/1.1 to impact Skype Connectivity; Microsoft PIC Gateways are already TLS 1.2 capable.
In the next post we'll detail all the prerequisites and necessary steps to disable TLS 1.0/1.1 in your Skype for Business Server 2015 environment.