Preparing for TLS 1.0/1.1 Deprecation – O365 Skype for Business

INTRODUCTION

 

The purpose of this blog post is to provide the necessary guidance for our Skype for Business Server, Lync Server, and Skype for Business Online customers to prepare for the deprecation of TLS 1.0 and 1.1 in Office 365. 

 

Please carefully review all the information in this blog post as you prepare for the mandatory use of TLS 1.2 in Office 365.  Note that there may be many dependencies and connectivity considerations in your environment so extensive planning and testing is advised.

 

BACKGROUND

 

We are planning to discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 in Microsoft Office 365 on October 31, 2018.  This was previously announced in the following support article. https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

 

This change will provide our customers with the best-in-class encryption for our customers.  For more details on TLS, please consult the following whitepaper: here

 

For additional background understanding of TLS (and a great resource for Exchange customers), see the following blog post.

 

HOW TO PREPARE

 

If you would like to prepare your environments for the upcoming TLS 1.2 change, there are three general scenarios you should review and, if applicable to your organization, adequately plan and prepare for.

  1. Lync/Skype client connectivity to Office 365
  2. On-premises server integration w/Office 365
  3. 3rd party integration with Skype for Business Online

We will cover each of these scenarios independently in the following sections.

 

Lync/Skype client connectivity to Office 365


Lync and Skype for Business clients may connect to Skype for Business Online, Exchange Online or both depending on where the account for these services are homed (online or on-premises). For example, if a Skype for Business client has their account homed in Lync Server 2013 on-premises, the client will still connect to Exchange Online if respective mailbox for the user is homed in Office 365.


As such, you need to follow the proceeding guidance if you fall into one of the following 3 client connectivity scenarios that has been flagged as ‘Preparation required”.

 

Mailbox Location

Lync/Skype account location

Preparation Required

Online

Online

Yes

On-premises

Online

Yes

Online

On-premises

Yes

On-premises

On-premises

No*

 

*although you are not required to prepare for client connectivity scenarios, you still may be required to remediate your on-premises infrastructure if you federate with any customers that reside in Skype for Business Online.  This scenario will be covered further in the next section.

 

To prepare your organization for the client connectivity scenarios, you should ensure that your clients meet the following minimum versions.

 

  • Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 0.5023.1000 and higher
  • Skype for Business 2016 Desktop Client, MSI 0.4678.1000 and higher, including Basic
  • Skype for Business 2016 Click to Run Require the April 2018 Updates:
    • Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
    • Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
  • Skype for Business on Mac 16.15 and higher
  • Skype for Business for iOS and Android 6.19 and higher

 

The following clients and devices do not fully support TLS 1.2, and therefore, you must transition to a fully TLS 1.2 capable version in the list.

 

    • Lync for Mac 2011
    • Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone
    • Lync "MX" Windows Store client
    • All Lync 2010 clients
    • Lync Phone Edition.  There is further guidance provided for these devices located here.
    • Lync Room System (a.k.a. SRSv1)
      • LRS Options - Upgrading SRSv1 (LRS) Systems to SRS v2 – Further guidance is coming soon

 

The following devices currently do not support TLS 1.2, but are actively being reviewed and we should provide further guidance later.  Keep checking back here for updates.

 

  • Skype Room System (a.k.a. 'SRSv2' or Rigel)
  • Surface Hub

 

In addition to the preceding client remediation, it is important to ensure that the underlying OS and default browser supports TLS 1.2. For Microsoft OS support, you can consult our TLS whitepaper.  Note: Windows 7 by default does not have TLS 1.2 enabled by default.  The aforementioned whitepaper includes guidance on how to enable TLS 1.2 in Windows 7.  The following link will provide you with guidance on TLS 1.2 capability for browsers. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

 

On-premises server integration w/Office 365

 

There are several hybrid topologies that are covered under this scenario.  This includes any integration or Hybrid with Skype for Business Online or Exchange Online.  For your reference, all the supported on-premises Skype to Exchange integration scenarios are covered here.

 

The following table provides an overview of the scenarios that require preparation and where to find the respective guidance.

 

Deployed on-premises

Integration/Hybrid with

Preparation Required

Guidance

Skype for Business Server or Lync Server on-premises

Skype for Business Online

Yes

This article

Skype for Business Server or Lync Server on-premises

Federation with other customers or partners in Office 365 (current or future)

Yes

This article

Skype for Business Server or Lync Server on-premises

Exchange Server

Yes

This article

Exchange Server on-premises

Skype for Business Online

 

Yes

Follow the guidance in the Exchange blog series.

Cloud Connector Edition (CCE)

Skype for Business Online

No

CCE already communicates with Skype for Business Online with TLS 1.2 only.

Skype for Business Server or Lync Server on-premises

Exchange Server on-premises

No.   (ensure you do not federate with customers in Office 365 as described in the first scenario)

N/A

 

If your organization falls under the first four scenarios, you are required to upgrade your on-premises server environment to one of the following versions.

 

 

If you are a customer that is running Lync Server 2010, we recommend that you upgrade to Skype for Business Server 2015 HF2 6.0.9319.516 or higher.  Note: Hybrid or integration scenarios with Office Communications Server 2007 R2 or earlier are not supported. 

 

 

3rd Party integration with Skype for Business Online

 

Skype for Business Online provides several supported SDKs and APIs.  If you are using a product from a 3rd party vendor that integrates with the SDKs or APIs, then consult your vendor to ensure that it fully supports TLS 1.2.  If you have written a custom in-house application that integrates with Skype for Business Online via these APIs and SDKs, then it is highly recommended that you follow the guidance in our TLS white paper.  The white paper provides guidance to ensure your application is fully TLS 1.2 capable and provide guidance on how to validate through testing.   

 

OTHER CONSIDERATIONS

 

Your organization’s environment may be comprised of various networking or security devices that may include; proxy servers and load balancers, or other networking components.  Be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.

 

 

By |2018-08-15T11:36:28+00:00August 15th, 2018|Uncategorized|0 Comments