locked
how to enforce tls for im between client to client in Lync? RRS feed

  • Question

  • Hi,

    Internal communication between clients is either TCP or TLS, how can we enforce TLS communication only between clients?

    Thanks

    Thursday, March 15, 2012 7:07 PM

Answers

  • All signaling and instant messaging is always TLS (encrypted) and it's also always client to server, there are no client-to-client signaling/IM (5061/443) communication paths.

    Media can travel client-to-client (2-party) or client-to-server (3+ parties).  These media sessions are by default always encrypted using SRTP regardless of whether TCP or UDP is used for the communication.  Don't confuse TCP signaling (unencrypted) with TCP media (encrypted).

    If the EncryptionLevel setting in Lync Server (Set-CsMediaConfiguration) is manually configured to DoNotSupportEncryption then media will not be encrypted (SRTP will not be used).  Typically if this setting is ever changed from the default (RequireEncryption) it's only ever lowered to SupportEncryption which allows both types of media traffic in Lync (SRTP and RTP).  But in this case all native Lync clients will ask for (and receive) encryption, only third-party client and servers which do not ask for encryption during call setup would create an encrypted media session with a Lync client.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Saturday, March 17, 2012 1:10 PM
    Moderator
  • Only TLS is enabled on the Clients for communications.

    http://blog.schertz.name/2010/10/lync2010-client-tls-only/ 


    Tim Harrington | MVP: Lync | MCITP: EMA 2007/2010, Lync 2010, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    Thursday, March 15, 2012 11:00 PM
  • Hi,

    Lync uses a peer to peer communication when audio and video is involved only between two users and they are still on TLS, if you are doing IM between two lync clients then still goes through the server which is TLS. As Harrington said only TLS is enablied for client communications. you can also use wireshark to see which protocols are being used.

    for more information http://technet.microsoft.com/en-us/library/gg195752.aspx and http://technet.microsoft.com/en-us/library/gg398833.aspx 


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 16, 2012 9:35 AM

All replies

  • Only TLS is enabled on the Clients for communications.

    http://blog.schertz.name/2010/10/lync2010-client-tls-only/ 


    Tim Harrington | MVP: Lync | MCITP: EMA 2007/2010, Lync 2010, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    Thursday, March 15, 2012 11:00 PM
  • Hey, thanks for the response.

    That setting is for client to server communication.  What about client to client communication of IM? That is not mandatorily TLS by default is it?

    Thursday, March 15, 2012 11:41 PM
  • Hi,

    Lync uses a peer to peer communication when audio and video is involved only between two users and they are still on TLS, if you are doing IM between two lync clients then still goes through the server which is TLS. As Harrington said only TLS is enablied for client communications. you can also use wireshark to see which protocols are being used.

    for more information http://technet.microsoft.com/en-us/library/gg195752.aspx and http://technet.microsoft.com/en-us/library/gg398833.aspx 


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 16, 2012 9:35 AM
  • Hi ,

    I agree with Salahuddin.

    Client will enforce TLS always during the communication. Modalities like desktop sharing and file transfer will make use of TCP ports for communicaion and channel is always encrypted.

    Thanks
    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    Friday, March 16, 2012 9:42 AM
  • All signaling and instant messaging is always TLS (encrypted) and it's also always client to server, there are no client-to-client signaling/IM (5061/443) communication paths.

    Media can travel client-to-client (2-party) or client-to-server (3+ parties).  These media sessions are by default always encrypted using SRTP regardless of whether TCP or UDP is used for the communication.  Don't confuse TCP signaling (unencrypted) with TCP media (encrypted).

    If the EncryptionLevel setting in Lync Server (Set-CsMediaConfiguration) is manually configured to DoNotSupportEncryption then media will not be encrypted (SRTP will not be used).  Typically if this setting is ever changed from the default (RequireEncryption) it's only ever lowered to SupportEncryption which allows both types of media traffic in Lync (SRTP and RTP).  But in this case all native Lync clients will ask for (and receive) encryption, only third-party client and servers which do not ask for encryption during call setup would create an encrypted media session with a Lync client.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Saturday, March 17, 2012 1:10 PM
    Moderator
  • Hello Jeff, does the Client Group Policy (regkey) "EnableSIPHighSecurityMode" affect the Client-to-Client IM communication security? The default value is "2" and has the effect: 2 = Medium Security Mode. TLS is not required, but server authentication must use either NTLM or Kerberos authentication. Instant messages and SUBSCRIBE SIP messages must pass through the SIP server. (Default)

    This topic is already discussed here: http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/86e875d2-8f3e-423a-9950-da5b5c740c49 and Noyas answer was "EnableSIPHighSecurityMode is one of the group policies needed for client bootstrapping. It enables Lync to send and receive instant messages more securely."

    How behaves Lync when the mode is not set? As you mentioned all traffic passes through the server and therefor it must be TLS?!

    Is it neccessary to set the Group Policy to force TLS Mode on all Clients or is it not needed because all traffic passes through the server and TLS is always used.

    Thanks and regards

    Tuesday, March 20, 2012 8:50 AM