In an effort to adhere to stricter security policies and updated PCI guidelines, a recent customer implemented a policy that required SSL 3.0, TLS 1.0, and known vulnerable cipher suites to be disabled. Only TLS 1.1 and higher would be allowed.
Setup:
Skype for Business deployed OnPremise and Exchange Online in O365.
Reverse Proxy had SSL 3.0 and TLS 1.0 disabled.
Findings:
One of our findings was that the Skype Meeting icon was missing from OWA in Exchange Online.
- Troubleshooting:
We double checked all the integration steps located here
- I also referred back to a very handy post here that has saved me a few times in the past.
Unfortunately, none of these seemed to do the trick.
- Test-OauthConnectivity returned successfully in Exchange Online
- Test-CsExStorageConnectivity returned successfully in Skype4B OnPrem
- The Skype for Business Autodiscover Web Service test (via the Remote Connectivity Analyzer site) failed with “The certificate couldn’t be validated because SSL negotiation wasn’t successful”
- So we turned to Fiddler…
Fiddler traces for browser initiated sessions to the Meeting join page, or to Lyncdiscover, showed the connection was established using TLS 1.2 and successfully connected.
- Fiddler traces from the Microsoft Lync Connectivity Analyzer showed the connection was established using TLS 1.0, and resulted in an error stating “Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host”
Version: 3.1 (TLS/1.0)
Random:
"Time": 10/25/2084 8:40:55 AM
SessionID: empty
Extensions:
server_name skypewebext.company.com
elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
SessionTicket empty
extended_master_secret empty
renegotiation_info 00
- So it appears that Web Service calls from the Skype4B/Lync client, as well as those coming from Exchange Online, are hard coded to use TLS 1.0.
Resolution:
Re-enabling TLS 1.0 on the Reverse Proxy resolved all these issues.
- Scheduling Skype Meetings became available in Exchange Online
- Remote Connectivity Analyzer Autodiscover tests ran successfully
I followed up with Microsoft on my findings, and they indicated that disabling TLS 1.0 on Skype4B servers wasn’t supported. They also said a KB article would be released in the future saying disabling TLS 1.0 wasn’t supported, but didn’t have a time frame.