SfB 2015 Security Questions
Question
Answers
-
Hi AntonKarlan,
1. Does all peer-to-peer Audio and Video calls are encrypted?
Yes, SFB internal peer-to-peer A/V calls should be encrypted by default with SRTP. You could try to run the following cmdlet in your environment to check the EncryptionLevel.
Get-CsMediaConfiguration | select identity, EncryptionLevel
2. Can I allow all internal SfB calls (A+V) and restrict remote users calls?
As I did not have the environment to do test, I suggest you could try to use this command to do test.
New-CsExternalAccessPolicy -Identity DisableOutsideAV -EnablePublicCloudAudioVideoAccess $false Grant-CsExternalAccessPolicy -Identity user.domain -PolicyName DisableOutsideAV
According to the official document, After set the value of EnablePublicCloudAudioVideoAccess to False, audio and video options in Skype for Business will be disabled any time a user is communicating with a public Internet connectivity contact.
3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?
About the security setting, I suggest you could refer to the official document to find more details: Plan for security in Skype For Business Server
4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?
As the official document descripted you provided, the types of traffic all will be encrypted by default if you did not do the customer settings.
Best Regards,
Evan Jiang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.- Proposed as answer by woshixiaobai Friday, November 9, 2018 6:43 AM
- Marked as answer by AntonKarlan Tuesday, November 13, 2018 2:44 AM
-
Hi AntonKarlan,
1. If you set the value of EncryptionLevel to RequireEncryption, it should be encrypted. if the call is PSTN call and you configured the media bypass, it will not be encrypted by SRTP for the PSTN call. You could try to check your settings.
2. I suggest you could try to test this policy for one user, it should block all the A/V calls when users in the internet environment. I have used this command with the value false of -EnableOutsideAccess, this will block the users in the organization to login in the internal environment, users can only login in the internal environment. As I do not have environment to test, so I suggest you could try it for a test user about it.
4. The Get-CsMediaConfiguration cmdlet only retrieves one or more collections of settings that define media interactions, it could not show which type of communication be encrypted. You could refer to the official document find more details about Get-CsMediaConfiguration. If you want to check the communication, you could use the third product to check the network traffic, such as WireShark you used.Best Regards,
Evan Jiang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.- Proposed as answer by woshixiaobai Friday, November 9, 2018 6:43 AM
- Marked as answer by AntonKarlan Tuesday, November 13, 2018 2:44 AM
All replies
-
Hi AntonKarlan,
1. Does all peer-to-peer Audio and Video calls are encrypted?
Yes, SFB internal peer-to-peer A/V calls should be encrypted by default with SRTP. You could try to run the following cmdlet in your environment to check the EncryptionLevel.
Get-CsMediaConfiguration | select identity, EncryptionLevel
2. Can I allow all internal SfB calls (A+V) and restrict remote users calls?
As I did not have the environment to do test, I suggest you could try to use this command to do test.
New-CsExternalAccessPolicy -Identity DisableOutsideAV -EnablePublicCloudAudioVideoAccess $false Grant-CsExternalAccessPolicy -Identity user.domain -PolicyName DisableOutsideAV
According to the official document, After set the value of EnablePublicCloudAudioVideoAccess to False, audio and video options in Skype for Business will be disabled any time a user is communicating with a public Internet connectivity contact.
3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?
About the security setting, I suggest you could refer to the official document to find more details: Plan for security in Skype For Business Server
4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?
As the official document descripted you provided, the types of traffic all will be encrypted by default if you did not do the customer settings.
Best Regards,
Evan Jiang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.- Proposed as answer by woshixiaobai Friday, November 9, 2018 6:43 AM
- Marked as answer by AntonKarlan Tuesday, November 13, 2018 2:44 AM
-
Hello, Evan!
Thanks a lot for your answers, but I have a couple more questions.
1. Does all peer-to-peer Audio and Video calls are encrypted?
Yes, SFB internal peer-to-peer A/V calls should be encrypted by default with SRTP. You could try to run the following cmdlet in your environment to check the EncryptionLevel.
Get-CsMediaConfiguration | select identity, EncryptionLevel
I checked Encryption level and it was, as in your expamle, SupportEncryption.
I set it to RequireEncryption with commandlet
Set-CsMediaConfiguration -EncryptionLevel RequireEncryption
Is that guarantees that all peer-to-peer calls will be encrypted?
I did a network traffic dump with WireShark while peer-to-peer audio call in same network segment and with remote user (via Edge server) - no SRTP traffic found, again only STUN, CLASSIC-STUN and UDP packets.
2. Can I allow all internal SfB calls (A+V) and restrict remote users calls?
As I did not have the environment to do test, I suggest you could try to use this command to do test.
New-CsExternalAccessPolicy -Identity DisableOutsideAV -EnablePublicCloudAudioVideoAccess $false Grant-CsExternalAccessPolicy -Identity user.domain -PolicyName DisableOutsideAV
According to the official document, After set the value of EnablePublicCloudAudioVideoAccess to False, audio and video options in Skype for Business will be disabled any time a user is communicating with a public Internet connectivity contact.
I think, that you didn't get the question. Remote users is a internal users from outside company internal network. Can we grant all internal (in company network) A/V calls and restrict all A/V calls with remote users (internal users from internet)?
3. How can I enable the "most secured SfB mode" where all posible communications will be encrypted?
About the security setting, I suggest you could refer to the official document to find more details: Plan for security in Skype For Business Server
Thanks, I will follow it.
4. What is encrypted in SfB 2015 by default? What can be encrypted? And what can not be encrypted anyway?
As the official document descripted you provided, the types of traffic all will be encrypted by default if you did not do the customer settings.How can I check if particular communication is encrypt? Does Get-CsMediaConfiguration show all of that? Or there some separate commandlets for different types of communications? Can you give me examples of that?
- Edited by AntonKarlan Wednesday, November 7, 2018 8:58 AM
-
Hi AntonKarlan,
1. If you set the value of EncryptionLevel to RequireEncryption, it should be encrypted. if the call is PSTN call and you configured the media bypass, it will not be encrypted by SRTP for the PSTN call. You could try to check your settings.
2. I suggest you could try to test this policy for one user, it should block all the A/V calls when users in the internet environment. I have used this command with the value false of -EnableOutsideAccess, this will block the users in the organization to login in the internal environment, users can only login in the internal environment. As I do not have environment to test, so I suggest you could try it for a test user about it.
4. The Get-CsMediaConfiguration cmdlet only retrieves one or more collections of settings that define media interactions, it could not show which type of communication be encrypted. You could refer to the official document find more details about Get-CsMediaConfiguration. If you want to check the communication, you could use the third product to check the network traffic, such as WireShark you used.Best Regards,
Evan Jiang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.- Proposed as answer by woshixiaobai Friday, November 9, 2018 6:43 AM
- Marked as answer by AntonKarlan Tuesday, November 13, 2018 2:44 AM
-
Hi AntonKarlan,
Is there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.Best Regards,
Evan Jiang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams. -
Hi AntonKarlan,
Thanks for your sharing.
Best Regards,
Evan Jiang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
