locked
SfB Mediation server TLS version support RRS feed

  • Question

  • Hi all,

    In Microsoft's interoperability program is mentioned that TLS v1.2 is mandatory.

    I want to connect with SIP trunking a PBX that supports TLS1.0 / TLS1.1.

    Am I going to have a problem? Is there any setting in mediation server where we may force mediation server to "talk" only with TLS1.0/TLS1.1?

    Thanks.

     

    Friday, July 15, 2016 11:08 AM

Answers

  • https://blogs.office.com/2014/10/29/protecting-ssl-3-0-vulnerability/  ( exceprt from the link ) 

    Starting on December 1, 2014, Office 365 will begin disabling support for SSL 3.0. This means that from December 1, 2014, all client/browser combinations will need to utilize TLS 1.0 or higher to connect to Office 365 services without issues. This may require certain client/browser combinations to be updated.

    ( below are the steps excerpt from the following link, http://masteringlync.com/2014/10/20/poodle-and-lync-server-2013/ )

    So can we disable SSL 3.0 in Lync?  Based on my testing, I would say yes.  In my lab as a test, I have disabled SSL 3.0 on my Edge, Front-End, Reverse Proxy (IIS/AAR) and OWAS server and ran through a laundry list of tests and it works fine.  Additionally, Lync Server 2013 supports FIPS compliance (http://technet.microsoft.com/en-us/library/gg398577.aspx) and SSL 3.0 must be disabled for FIPS compliance so I think that is a tacit consent of support for disabling SSL 3.0.  As of this post, I haven’t tested Aries or other phone vendors to make sure those work as expected.



    Windows Server 2012 and Windows Server 2012 R2 have TLS 1.0 and 1.2 enabled by default, along with SSL 3.0.

    To disable SSL 3.0 and 2.0  you can use these:

    # Disable SSL 3.0 (PCI Compliance) and enable “Poodle” protection

    md ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server’ -Force

    New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL  3.0\Server’ -name Enabled -value 0 -PropertyType ‘DWord’ -Force

    # Disable SSL 2.0 (PCI Compliance)

    md ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server’ -Force

    New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server’ -name Enabled -value 0 -PropertyType ‘DWord’ -Force



    Regards, Rajukb | MCSE (Communication ), MCSA (o365) ,Certified "Lync server 2013 depth support engineer"| This posting is providedwith no warranties and confers no rights. If my reply answers your question please mark as answer/helpful if its helpful.




    • Edited by RajuKB_MCSE (Communication) Friday, July 15, 2016 11:25 PM
    • Proposed as answer by Alice-Wang Monday, July 18, 2016 7:56 AM
    • Marked as answer by mpmk Tuesday, July 19, 2016 6:54 AM
    • Unmarked as answer by mpmk Tuesday, July 19, 2016 6:55 AM
    • Marked as answer by mpmk Tuesday, July 19, 2016 7:00 AM
    Friday, July 15, 2016 11:14 PM

All replies

  • Mickor,

    Could you link to where you found the TLS v1.2 is mandatory? Lots of industry gateways use TLS 1.0. This won't be a problem.

    -Don

    Friday, July 15, 2016 9:31 PM
  • https://blogs.office.com/2014/10/29/protecting-ssl-3-0-vulnerability/  ( exceprt from the link ) 

    Starting on December 1, 2014, Office 365 will begin disabling support for SSL 3.0. This means that from December 1, 2014, all client/browser combinations will need to utilize TLS 1.0 or higher to connect to Office 365 services without issues. This may require certain client/browser combinations to be updated.

    ( below are the steps excerpt from the following link, http://masteringlync.com/2014/10/20/poodle-and-lync-server-2013/ )

    So can we disable SSL 3.0 in Lync?  Based on my testing, I would say yes.  In my lab as a test, I have disabled SSL 3.0 on my Edge, Front-End, Reverse Proxy (IIS/AAR) and OWAS server and ran through a laundry list of tests and it works fine.  Additionally, Lync Server 2013 supports FIPS compliance (http://technet.microsoft.com/en-us/library/gg398577.aspx) and SSL 3.0 must be disabled for FIPS compliance so I think that is a tacit consent of support for disabling SSL 3.0.  As of this post, I haven’t tested Aries or other phone vendors to make sure those work as expected.



    Windows Server 2012 and Windows Server 2012 R2 have TLS 1.0 and 1.2 enabled by default, along with SSL 3.0.

    To disable SSL 3.0 and 2.0  you can use these:

    # Disable SSL 3.0 (PCI Compliance) and enable “Poodle” protection

    md ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server’ -Force

    New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL  3.0\Server’ -name Enabled -value 0 -PropertyType ‘DWord’ -Force

    # Disable SSL 2.0 (PCI Compliance)

    md ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server’ -Force

    New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server’ -name Enabled -value 0 -PropertyType ‘DWord’ -Force



    Regards, Rajukb | MCSE (Communication ), MCSA (o365) ,Certified "Lync server 2013 depth support engineer"| This posting is providedwith no warranties and confers no rights. If my reply answers your question please mark as answer/helpful if its helpful.




    • Edited by RajuKB_MCSE (Communication) Friday, July 15, 2016 11:25 PM
    • Proposed as answer by Alice-Wang Monday, July 18, 2016 7:56 AM
    • Marked as answer by mpmk Tuesday, July 19, 2016 6:54 AM
    • Unmarked as answer by mpmk Tuesday, July 19, 2016 6:55 AM
    • Marked as answer by mpmk Tuesday, July 19, 2016 7:00 AM
    Friday, July 15, 2016 11:14 PM
  • At HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols I created the relevant keys for TLS 1.2, TLS 1.1 and TLS 1.0 and I could activate or deactivate based on our needs.

    Thanks RajuKB.

     

    Tuesday, July 19, 2016 7:00 AM
  • Hi Michkor,

    have you tested with above settings ? is the issue solved ? let us know to the status and if you are still looking for any information.


    Regards, Rajukb | MCSE (Communication ), MCSA (o365) ,Certified "Lync server 2013 depth support engineer"| This posting is providedwith no warranties and confers no rights. If my reply answers your question please mark as answer/helpful if its helpful.

    Tuesday, July 19, 2016 7:00 AM
  • Glad to hear that we addressed your query, thank you for the update Michkor, 

    Regards, Rajukb | MCSE (Communication ), MCSA (o365) ,Certified "Lync server 2013 depth support engineer"| This posting is providedwith no warranties and confers no rights. If my reply answers your question please mark as answer/helpful if its helpful.

    Tuesday, July 19, 2016 7:03 AM
  • I just assumed that because in Microsoft's "TDS_SfB_Server_2015_Infrastructure_Interoperability_Program_for_PBX" document it says in pg. 18 in "Default configuration settings" paragraph that "For all test cases requiring TLS, TLS v1.2 is mandatory".

    https://technet.microsoft.com/en-us/office/dn947483

     
    Tuesday, July 19, 2016 7:10 AM