Office 365 will Enforce Mandatory use of TLS 1.2 from October 31, 2018, so Lync Phone Edition (which does not support TLS 1.2) will not be able to Connect to Skype for Business Online
16th April 2018 Update: Microsoft has now confirmed this in an official blog (which was an old blog that has been updated):
“Office 365 will enforce TLS 1.2 later this year. Since the underlying operating system of LPE does not support TLS 1.2, LPE will not be able to connect to Office 365 anymore”
In line with security best practices, and for very good reasons as Microsoft explain in their advisory, Microsoft is moving Office 365 to mandatory TLS 1.2.
“In support of our promise to provide best-in-class encryption to our customers, we are planning to discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 soon in Microsoft Office 365.
The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for the use of TLS 1.0 and 1.1 in Office 365.
For information about how to remove TLS 1.0 and 1.1 dependencies, see the whitepaper Solving the TLS 1.0 problem.“
As of October 31, 2018, Microsoft Office 365 will no longer support TLS 1.0 and 1.1. Most clients and browsers all support 1.2 now, so for most customers, this shouldn’t be a big issue. One consideration in the Skype for Business world is that Lync Phone Edition does not support TLS 1.2.
Lync Phone Edition
For those needing a refresher, Lync Phone Edition are the IP Phones first launched alongside Lync 2010. The phones were produced by third-party certified providers like Polycom, Mitel/Aastra and HP/Snom, but all run Windows CE 6.0 and a Microsoft written Lync Phone client (codename Aries).
LPE Phones :
- Polycom: CX500, CX600, and CX3000
- Hewlett-Packard: 4110 and 4120
- Mitel-Aastra: 6721ip and 6725ip
Over time Microsoft increasingly pushed customers to the newer qualified IP Phones (such as Polycom VVX, AudioCodes and Yealink) where the vendor writes the OS and phone application to work to a Microsoft certified specification for Skype for Business, but a good number of Lync Phone Edition Phones are still around today. They work on Skype for Business Server and Skype for Business Online today
Checking the Microsoft site, they are no longer listed as supported with the exception of the Mitel MiVoice 6725 Lync Phone which I think is an oversight.
But they are still listed as supported on docs.microsoft.com:
Their actual end of mainstream support is April 2018 and Extended support is April 2023
Windows CE 6.0 hits end of extended support in April 2018
Windows CE and therefor Lync Phone Edition doesn’t support TLS 1.2, which means that unless Microsoft chooses to update LPE (which I very much doubt will happen) LPE Phones won’t be able to sign into Office 365/Skype for Business Online after October 2018.
I doubt this affects a large number of customers, as certified phones have been the recommendation for some time, but it’s worth being aware I think.
What is curious is that Microsoft is creating a “cloud gateway” to allow Skype for Business Phones to work with Teams (alongside new dedicated Teams IP Phones). At the time of announcing this, it was said that LPE Phones would be supported, but I can’t see how this would be the case, as surely this gateway, as part of Office 365, will also use TLS 1.2. Update, LPE phones will not be supported with Microsoft Teams
Note, this won’t affect Lync Phone Edition signing into SfB Server 2015. SfBS 2015 will have a supported method to disable TLS 1.0/1.1, but it will be a customer configurable option. This also doesn’t affect non-LPE phones/3IP certified phones which are mostly based on Linux and all support TLS 1.2.
Interested in the nitty-gritty detail on TLS and LPE? Check out this excellent blog from Trevor Miller: https://ucvnext.org/2016/03/lync-phone-edition-tls-limitations/