In an effort to adhere to stricter security policies and updated PCI guidelines, a recent customer implemented a policy that required SSL 3.0, TLS 1.0, and known vulnerable cipher suites to be disabled. Only TLS 1.1 and higher would be allowed.
Skype for Business deployed OnPremise and Exchange Online in O365.
Reverse Proxy had SSL 3.0 and TLS 1.0 disabled.
One of our findings was that the Skype Meeting icon was missing from OWA in Exchange Online.
We double checked all the integration steps located here
- I also referred back to a very handy post here that has saved me a few times in the past.
Unfortunately, none of these seemed to do the trick.
- Test-OauthConnectivity returned successfully in Exchange Online
- Test-CsExStorageConnectivity returned successfully in Skype4B OnPrem
- The Skype for Business Autodiscover Web Service test (via the Remote Connectivity Analyzer site) failed with “The certificate couldn’t be validated because SSL negotiation wasn’t successful”
- So we turned to Fiddler…
Fiddler traces for browser initiated sessions to the Meeting join page, or to Lyncdiscover, showed the connection was established using TLS 1.2 and successfully connected.
- Fiddler traces from the Microsoft Lync Connectivity Analyzer showed the connection was established using TLS 1.0, and resulted in an error stating “Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host”
Version: 3.1 (TLS/1.0)
"Time": 10/25/2084 8:40:55 AM
elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
- So it appears that Web Service calls from the Skype4B/Lync client, as well as those coming from Exchange Online, are hard coded to use TLS 1.0.
Re-enabling TLS 1.0 on the Reverse Proxy resolved all these issues.
- Scheduling Skype Meetings became available in Exchange Online
- Remote Connectivity Analyzer Autodiscover tests ran successfully
I followed up with Microsoft on my findings, and they indicated that disabling TLS 1.0 on Skype4B servers wasn’t supported. They also said a KB article would be released in the future saying disabling TLS 1.0 wasn’t supported, but didn’t have a time frame.