Have You Checked Your LPE Inventory Lately?
During Microsoft Ignite 2017 last September, Microsoft announced the end of support for Transport Layer Security (TLS) 1.0 and 1.1 encryption in Office 365, in favor of TLS 1.2 -- a move that means Lync Phone Edition (LPE) devices will no longer be able to connect to O365 services. This TLS change, originally supposed to happen in March, has been delayed until Oct. 31. So we're now just a couple short months away from the impending doom of Lync Phone Edition. What does that mean for you?
The simple answer is that vendors will not update LPE hardware to support TLS 1.2, and that after Oct. 31, their devices will no longer work with O365.
The more complex answer has many layers.
First off, if you aren't familiar with LPE devices, they're the IP phones first launched alongside Lync 2010 from third-party vendors like HP (via Snom), Mitel (which purchased Aastra), and Polycom. These phones run a prehistoric edition of Windows CE 6.0 and a Microsoft-written Lync Phone client, neither of which support TLS 1.2. LPE devices have long been proven workhorses, deployed in large numbers, but the time has come for you to put them out to pasture.
When Microsoft applies TLS 1.2 as the only encryption mechanism with Office 365, these devices will no longer connect. This will affect every O365 property, including Azure Active Directory and Exchange Online Unified Messaging. That means, even if your organization uses Skype for Business Server on premises, anyone utilizing voicemail services in the Microsoft 365 cloud will be affected.
Secondly, the older TLS versions -- 1.0 and 1.1 -- have known vulnerabilities used by hackers (although Microsoft currently states that it knows of no vulnerabilities in its early TLS implementations That's all well and good; however, future vulnerabilities are inevitable, and Microsoft is proactively disabling TLS 1.0 and 1.1 in O365. This is a wise move, because it really is only a matter of time -- someone is always younger, smarter, faster, and better... and a persistent hacker will find exploits.
The importance of this announcement should be clear: Microsoft's TLS 1.2 enforcement will potentially cause critical business phones to stop functioning with O365 services, affecting functions like basic calling facilitated by Skype for Business Online. All phones utilizing Exchange Online services for calendaring, voicemail, Outlook contacts, and call logs, for example, will cease working with those services. Don't forget about on-premises/hybrid deployments using Exchange Online, as they'll also be affected.
Please take time to audit your environment for these functionalities and the following LPE devices:
- HP: 4110 and 4120
- Mitel/Aastra: 6721ip and 6725ip
- Polycom: CX500, CX600, CX3000
You may be wondering if the TLS 1.2 change will affect non-LPE devices. It might. A proactive investigative approach would be wise.
The good news for all is that devices like Microsoft 3rd Party Interoperability Partner (3PIP) phones certified for Skype for Business Online will work with O365 TLS 1.2, as well as with Microsoft Teams in the future. No changes are anticipated when connecting devices to an on-premises deployment of Skype for Business Server. You may also want to consider native Teams devices that Microsoft announced in March at Enterprise Connect 2018. The Teams app functions directly on these devices.
In closing, let me remind you to take the time to look through your network for outdated devices. You never know when you may unearth an LPE device hiding on a critical desk or in a conference room. This proactive scavenger hunt will save you some frustration -- and frantic helpdesk calls -- come November. Now is a great time to consider implementing 3PIP or native Teams devices for your Microsoft UC deployment!