May 24, 2018 Update: Added In-place Upgrade scenarios to Supported; made changes to Pre-requisites and TLS Disable reg files based on additional validation testing; please review Parts 1 & 2 carefully as the deployment steps have changed.
Announcing Support for Disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises
We are pleased to announce supportability for disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises. In this blog series we'll cover the main drivers for disabling older TLS protocols in your On-Premises environment, what is in-scope, and out, for Supportability, and the steps required to disable TLS 1.0 and 1.1. This blog post will serve as the table of contents and will be updated as we publish additional guidance. This information is authoritative and should be considered official Microsoft documentation from the Skype for Business Product Group.
Note that we are not covering Office 365 in this series of blog posts. Communications on deprecating TLS 1.0 and 1.1 in Office 365, Skype for Business Online will be addressed in separate documentation later.
Also note we have not made any changes to our Pseudo-TLS implementation. Pseudo-TLS is not impacted by disabling TLS 1.0/1.1 on Skype for Business Servers and an in-depth discussion of MS-TURN Pseudo-TLS is beyond the scope of this blog series. However, all previous guidance still applies - some HTTP proxies or firewalls may interfere with the MS-TURN protocol and prevent Lync/Skype for Business clients and servers from functioning properly. In releasing support for disabling TLS 1.0/1.1 in your Skype for Business Server On-Premises environments we are not suggesting you begin actively monitoring and blocking MS-TURN (Lync/Skype) Pseudo-TLS on HTTP proxies and firewalls, in fact this practice remains unsupported.
Blogs in this Series
- Part 1: Introduction and Scope (this blog)
- Part 2: How-to Update an Existing Topology
- Part 3: Advanced Deployment Scenarios
The purpose of this blog series is to provide the necessary guidance for you to prepare for and implement disabling TLS 1.0 and 1.1 in your environments. This process requires extensive planning and preparation. Please carefully review all of the information in this blog series as you make your plan to disable TLS 1.0 and 1.1 if required for your organization. Note that there are many external dependencies and connectivity that could be impacted by disabling TLS 1.0/1.1 so extensive planning and testing is warranted.
The primary drivers for providing TLS 1.0 and 1.1 disable support for Skype for Business Server On-Premises are Payment Card Industry (PCI) Security Standards Council and Federal Information Processing Standards requirements. More information for PCI requirements can be found here. Microsoft cannot provide guidance on whether or not your organization is required to adhere to these or other requirements. You must determine if it is required for you to disable TLS 1.0 and/or 1.1 in your environments.
Scope refers to supportability boundaries. For Skype for Business Server On-Premises, in scope means we fully support and have tested disabling of TLS 1.0 and 1.1 for the listed product versions. Currently being investigated means just that; we are actively investigating bringing these products into scope for TLS disable support. Out of scope means these product versions do not support disabling TLS 1.0 or 1.1 and will not work, with noted exceptions.
Fully tested and supported Servers:
- Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) and higher on
- Windows Server 2012 (with KB 3140245 or superseding update) or 2012 R2
- In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on
- Windows Server 2008 R2, 2012 (with KB 3140245 or superseding update), or 2012 R2
- Exchange Connectivity and Outlook Web App with Exchange Server 2010 SP3 RU19 or higher, guidance here
Fully tested and supported Clients:
- Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher
- Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher, including Basic
- Skype for Business 2016 Click to Run Require the April 2018 Updates:
- Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
- Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
- Skype for Business on Mac 16.15 and higher
- Skype for Business for iOS and Android 6.19 and higher
- Skype Web App 2015 CU6 HF2 and higher (ships with Server)
Currently being investigated, check back often for updates:
- Lync Room System (a.k.a. SRSv1)
- Skype Room System (a.k.a. 'SRSv2' or Rigel)
- Surface Hub
- 2015 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)
- Call Quality Dashboard (new install after TLS 1.0, 1.1 have been disabled, see below)*
Except where noted, the following products are not in scope for TLS 1.0/1.1 disable support and will not function in an environment where TLS 1.0 and 1.1 have been disabled. What this means: if you still utilize out-of-scope servers or clients you must update or remove these if you need to disable TLS 1.0/1.1 anywhere in your Skype for Business Server on-premises deployment.
- Lync Server 2013*
- Windows Server 2008 and lower
- Lync for Mac 2011
- Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone
- Lync "MX" Windows Store client
- All Lync 2010 clients
- Lync Phone Edition - updated guidance here.
- 2013 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)
*Lync Server 2013:
Lync Server 2013 takes a dependency on Windows Fabric version 1.0. In the design phase for Lync Server 2013, Windows Fabric 1.0 was chosen for its compelling and new distributed architecture to provide replication, high availability and fault tolerance. Over time, both Skype for Business Server and Windows Fabric have greatly improved this joint architecture with significant re-design in subsequent versions. Current Skype for Business 2015 Server uses Windows Fabric 3.0, for example.
Unfortunately, Windows Fabric 1.0 does not support TLS 1.2. However, we will be updating Lync Server 2013 to work with TLS 1.2. This will be coming in the next Cumulative Update for Lync Server 2013. We're providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios.
If your organization is required to disable TLS 1.0 and 1.1, and you currently use Lync Server 2013, we recommend you begin your planning process, with the possibility you may have to In-place upgrade or Side-by-Side migrate (new pools, move users) to Skype for Business Server 2015 or higher. Or you may want to accelerate migration to Skype for Business Online.
*Call Quality Dashboard:
On-Premises Call Quality Dashboard currently has a dependency on TLS 1.0 during new install (first time installing into your On-Premises environments). We are currently investigating this issue and plan to release a fix in the near future. If you are planning to install CQD and also disable TLS 1.0, we recommend you complete CQD installation first, then proceed with TLS 1.0 disabling.
3rd Party Devices:
On 3rd party devices such as 3PIP phones, Video conferencing, Reverse Proxies and Load Balancers, be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.
Federation Considerations when disabling TLS 1.0/1.1 on Edge Servers:
You must carefully plan for and consider the impact of disabling TLS 1.0/1.1 on your Edge servers. Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to Federate with your organization.
You may opt to keep TLS 1.0/1.1 enabled on your Edge servers to maintain backward compatibility with non-patched (SfB 2015, Lync 2013) or older (2010) external systems.
Microsoft cannot provide advice or recommendations on whether or not your Edge network (or any network) falls under PCI standard, that must be determined by the individual company.
Skype for Business Online is capable of TLS 1.2 today, so no impact to Hybrid/Federation with Online is expected.
PIC (Public IM Connectivity) to Skype Consumer service: We do not expect disabling TLS 1.0/1.1 to impact Skype Connectivity ; Microsoft PIC Gateways are already TLS 1.2 capable.
In the next post we'll detail all the prerequisites and necessary steps to disable TLS 1.0/1.1 in your Skype for Business Server 2015 environment.