TLS 1.2 and Skype for Business

By now you’re probably heard a lot of grumblings about the insecure nature of TLS 1.0 and and 1.1, and that everyone should be moving to TLS 1.2. Let’s talk about TLS 1.2, SfB, Office 365, and related things.

What’s TLS?

TLS stands for Transport Layer Security. TLS is the successor to SSL, Secure Socket Layer. You can read a nice multi-part overview of SSL/TLS here
that includes details on vulnerabilities and attacks. In a nutshell, TLS is the protocol used to encrypt your stuff.

The challenge

IT has an ongoing challenge of ensuring that related systems are at compatible levels. With TLS, the idea is to enable TLS 1.2 AND disable earlier, less secure versions. It’s plain silly to leave the less secure versions enabled, unless you’re still in transition to TLS 1.2 and need the lower levels for compatibility.

About PCI Compliance

When people say PCI, they probably really mean PCI DSS, or the Payment Card Industry Data Security Standard. These are the rules that credit card processing companies say you need to follow. They’re a good read, and probably worth following even if you don’t process payments via card. You can read more here

SfB and TLS

At present, SfB does not support TLS 1.2. Microsoft is late to this party. You can expect an up-coming update to permit SfB to run on TLS 1.2 with less secure levels disabled. A word of caution however – if you have third party software for something like a call center, user/number management, e911, or whatever, make sure that it also works in a TLS 1.2-only environment.


LPE is Lync Phone Edition, the software and hardware standard for the previous edition of phones. Common model numbers are the Polycom CX500, CX600 and CX3000. HP and Aastra also make some models. All LPE phones run the same software, based on a super old version of Windows CE. This version does NOT support TLS 1.2, so if you need to run only TLS 1.2 now, your LPE devices need to be replaced. There was rumour in the past that Microsoft was looking at updating the LPEs to be able to run TLS 1.2, however I’ve not seen any official word or any updates that they’re still looking at the issue.

PLEASE don’t be one of those organizations that buys a pile of cheap used LPEs. You’ll only regret it when you have to replace them, deploy a new phone management solution, and retrain your users.


There is a tonne of material on Office 365 TLS 1.2 here  that you should review. While this article is relatively short, it’s chock full of links to more detailed resources.

More SfB and TLS 1.2 news here when it’s available…