none
SfB 2015 Security Questions RRS feed

  • Question

  • Hello!

    I have a couple Skype for Business security questions about interactions between internal and remote users.

    We plan to have remote users (our internal users on desktop or mobile client outside our network) and no federated or other type of users.

    1. Does all peer-to-peer Audio and Video calls are encrypted? In Wireshark I saw only STUN, CLASSIC-STUN and UDP packets and no SRTP packets (or conversations), as described here 

    2. Can I allow all internal SfB calls (A+V) and restrict remote users calls? Remote users should be text chat only with no file transfer.

    3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?

    4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?

    Thanks a lot for answers!

    Tuesday, November 6, 2018 11:37 AM

Answers

  • Hi AntonKarlan,

    1. Does all peer-to-peer Audio and Video calls are encrypted?
    Yes, SFB internal peer-to-peer A/V calls should be encrypted by default with SRTP. You could try to run the following cmdlet in your environment to check the EncryptionLevel. 

    Get-CsMediaConfiguration | select identity, EncryptionLevel

    2. Can I allow all internal SfB calls (A+V) and restrict remote users calls?
    As I did not have the environment to do test, I suggest you could try to use this command to do test. 

    New-CsExternalAccessPolicy -Identity DisableOutsideAV -EnablePublicCloudAudioVideoAccess  $false
    Grant-CsExternalAccessPolicy -Identity user.domain -PolicyName DisableOutsideAV

    According to the official document, After set the value of EnablePublicCloudAudioVideoAccess to False, audio and video options in Skype for Business will be disabled any time a user is communicating with a public Internet connectivity contact.

    3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?
    About the security setting, I suggest you could refer to the official document to find more details: Plan for security in Skype For Business Server

    4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?
    As the official document descripted you provided, the types of traffic all will be encrypted by default if you did not do the customer settings.


    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, November 7, 2018 3:02 AM
    Moderator
  • Hi AntonKarlan,

    1. If you set the value of EncryptionLevel to RequireEncryption, it should be encrypted. if the call is PSTN call and you configured the media bypass, it will not be encrypted by SRTP for the PSTN call. You could try to check your settings.

    2. I suggest you could try to test this policy for one user, it should block all the A/V calls when users in the internet environment. I have used this command with the value false of -EnableOutsideAccess, this will block the users in the organization to login in the internal environment, users can only login in the internal environment. As I do not have environment to test, so I suggest you could try it for a test user about it.

    4. The Get-CsMediaConfiguration cmdlet only retrieves one or more collections of settings that define media interactions, it could not show which type of communication be encrypted. You could refer to the official document find more details about Get-CsMediaConfiguration. If you want to check the communication, you could use the third product to check the network traffic, such as WireShark you used.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, November 8, 2018 9:25 AM
    Moderator
  • 2. I suggest you could try to test this policy for one user, it should block all the A/V calls when users in the internet environment. I have used this command with the value false of -EnableOutsideAccess, this will block the users in the organization to login in the internal environment, users can only login in the internal environment. As I do not have environment to test, so I suggest you could try it for a test user about it.

    I think I found an acceptable solution for my question #2

    A/V calls are enabled for all users. If user wants to have ability to remote connect, I can disable A/V calls for that particular user via Control Panel or via Set-CsUser -AudioVideoDisabled $True commandlet.

    • Marked as answer by AntonKarlan Tuesday, November 13, 2018 2:51 AM
    Tuesday, November 13, 2018 2:51 AM

All replies

  • Hi AntonKarlan,

    1. Does all peer-to-peer Audio and Video calls are encrypted?
    Yes, SFB internal peer-to-peer A/V calls should be encrypted by default with SRTP. You could try to run the following cmdlet in your environment to check the EncryptionLevel. 

    Get-CsMediaConfiguration | select identity, EncryptionLevel

    2. Can I allow all internal SfB calls (A+V) and restrict remote users calls?
    As I did not have the environment to do test, I suggest you could try to use this command to do test. 

    New-CsExternalAccessPolicy -Identity DisableOutsideAV -EnablePublicCloudAudioVideoAccess  $false
    Grant-CsExternalAccessPolicy -Identity user.domain -PolicyName DisableOutsideAV

    According to the official document, After set the value of EnablePublicCloudAudioVideoAccess to False, audio and video options in Skype for Business will be disabled any time a user is communicating with a public Internet connectivity contact.

    3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?
    About the security setting, I suggest you could refer to the official document to find more details: Plan for security in Skype For Business Server

    4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?
    As the official document descripted you provided, the types of traffic all will be encrypted by default if you did not do the customer settings.


    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, November 7, 2018 3:02 AM
    Moderator
  • Hello, Evan!

    Thanks a lot for your answers, but I have a couple more questions.

    1. Does all peer-to-peer Audio and Video calls are encrypted?
    Yes, SFB internal peer-to-peer A/V calls should be encrypted by default with SRTP. You could try to run the following cmdlet in your environment to check the EncryptionLevel. 

    Get-CsMediaConfiguration | select identity, EncryptionLevel

    I checked Encryption level and it was, as in your expamle, SupportEncryption.

    I set it to RequireEncryption with commandlet

    Set-CsMediaConfiguration -EncryptionLevel RequireEncryption

    Is that guarantees that all peer-to-peer calls will be encrypted?

    I did a network traffic dump with WireShark while peer-to-peer audio call in same network segment and with remote user (via Edge server) - no SRTP traffic found, again only STUN, CLASSIC-STUN and UDP packets.

    2. Can I allow all internal SfB calls (A+V) and restrict remote users calls?
    As I did not have the environment to do test, I suggest you could try to use this command to do test. 

    New-CsExternalAccessPolicy -Identity DisableOutsideAV -EnablePublicCloudAudioVideoAccess  $false
    Grant-CsExternalAccessPolicy -Identity user.domain -PolicyName DisableOutsideAV

    According to the official document, After set the value of EnablePublicCloudAudioVideoAccess to False, audio and video options in Skype for Business will be disabled any time a user is communicating with a public Internet connectivity contact.

    I think, that you didn't get the question. Remote users is a internal users from outside company internal network. Can we grant all internal (in company network) A/V calls and restrict all A/V calls with remote users (internal users from internet)?

    3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?
    About the security setting, I suggest you could refer to the official document to find more details: Plan for security in Skype For Business Server

    Thanks, I will follow it.

    4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?
    As the official document descripted you provided, the types of traffic all will be encrypted by default if you did not do the customer settings.

    How can I check if particular communication is encrypt? Does Get-CsMediaConfiguration show all of that? Or there some separate commandlets for different types of communications? Can you give me examples of that?


    • Edited by AntonKarlan Wednesday, November 7, 2018 8:58 AM
    Wednesday, November 7, 2018 8:56 AM
  • Hi AntonKarlan,

    1. If you set the value of EncryptionLevel to RequireEncryption, it should be encrypted. if the call is PSTN call and you configured the media bypass, it will not be encrypted by SRTP for the PSTN call. You could try to check your settings.

    2. I suggest you could try to test this policy for one user, it should block all the A/V calls when users in the internet environment. I have used this command with the value false of -EnableOutsideAccess, this will block the users in the organization to login in the internal environment, users can only login in the internal environment. As I do not have environment to test, so I suggest you could try it for a test user about it.

    4. The Get-CsMediaConfiguration cmdlet only retrieves one or more collections of settings that define media interactions, it could not show which type of communication be encrypted. You could refer to the official document find more details about Get-CsMediaConfiguration. If you want to check the communication, you could use the third product to check the network traffic, such as WireShark you used.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, November 8, 2018 9:25 AM
    Moderator
  • Hi AntonKarlan,

    Is there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.

    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, November 12, 2018 5:34 AM
    Moderator
  • 2. I suggest you could try to test this policy for one user, it should block all the A/V calls when users in the internet environment. I have used this command with the value false of -EnableOutsideAccess, this will block the users in the organization to login in the internal environment, users can only login in the internal environment. As I do not have environment to test, so I suggest you could try it for a test user about it.

    I think I found an acceptable solution for my question #2

    A/V calls are enabled for all users. If user wants to have ability to remote connect, I can disable A/V calls for that particular user via Control Panel or via Set-CsUser -AudioVideoDisabled $True commandlet.

    • Marked as answer by AntonKarlan Tuesday, November 13, 2018 2:51 AM
    Tuesday, November 13, 2018 2:51 AM
  • Hi AntonKarlan,

    Thanks for your sharing.


    Best Regards,
    Evan Jiang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, November 13, 2018 6:54 AM
    Moderator