As you may already know that TLS 1.2 is now becoming the industry standard. Many companies now have a compliance requirement to implement TLS 1.2 and disable TLS 1.0 and 1.1.
Microsoft SQL and Exchange server have become fully compliant with TLS 1.2. Skype for Business is not far behind – Microsoft just announced that CU6 HF2 update of Skype for Business server contains the update needed to be compliant with TLS 1.2 requirement. Note that, this update is only for Skype for Business 2015 running on Windows 2012 or higher, Microsoft is currently working on older versions.
Office 365:
Microsoft is also moving forward with TLS 1.2 in Office 365 and will soon discontinue 1.0 and 1.1 version. The deadline for implementing TLS 1.2 is October 31, 2018.
https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365
Note that, based on our testing Office 365 already has TLS 1.2 enabled for most applications, it’s just that, they have not disabled TLS 1.x yet. If you are only using Skype for Business online with no on-premise deployment, then, the impact is minimal. You still need to make sure all the clients (including IP phones) are updated to support TLS 1.2.
On-Premise and Hybrid Deployment:
Microsoft recently released Cumulative update CU6 HF2 (March 2018 update) which has the update needed for TLS 1.2.
Assuming you have Skype for Business 2015 installed on Windows 2012 server, in order to be fully compliant with TLS 1.2 and disable TLS 1.0 and 1.1 you will need to –
- Apply this update to your Skype for Business Server
- Also apply KB 3140245 update or higher to the Windows 2012 operating system. (may not apply to Windows 2012 R2, check ‘Test Results’ section)
- Update SQL backend to support TLS 1.2
- All the clients needed to be updated to a supported version (see following article for details)
- Make registry changes to disable TLS 1.0 and 1.1
- Make sure Exchange Server is also fully compliant with TLS 1.2. Otherwise, any Exchange integration will break.
- Make sure all the IP phones (integrated with SFB client) are also compliant with TLS 1.2.
Following articles from Microsoft has detailed information.
Test Results:
- I have installed this update on a Standard Edition server running on Windows 2012 R2.
- All the services started successfully.
- For Windows 2012 R2, with March updates and .Net version 4.5 or higher you do not need KB 3140245. Also the ‘easy fix’ app (which is a reg key import file) does not apply.
- I have not yet tested all the client side features yet, if there are any issues I will update this blog.
Things to consider:
- If you have Skype for Business hybrid configuration you need to be mindful of the October 31st deadline and make sure your Skype for Business on-prem environment is updated for TLS 1.2.
- Any custom web based application (such as chatbots) needs to be tested to make sure it is compliant.
- Prior to disabling TLS 1.x note that, federation, desktop sharing, app sharing might break between organizations if clients on both sides are not fully compliant with TLS 1.2. Based on our testing, this usually happens with older versions of clients.
- Older versions of IP phones such as Polycom CX300, CX600 series, Aastra and HP phones running windows CE will break unless new update addresses this issue. The current version does not support TLS 1.2. Note that, these phones are already out of support life cycle, so chances of the firmware getting updated for TLS 1.2 are low, you may need to plan to replace them.
- Perhaps the most important thing to check is the connection between Skype for Business Server and PBX system for Enterprise Voice. If you have SRTP and/or TLS enabled between gateway and Mediation Server, then, make sure that, the gateway (or IP-PBX or SIP trunk) supports TLS 1.2. Otherwise, you will have call failure.
