TLS guidance – Office 365 & Exchange

Hopefully, everyone is aware by now. If not then please note…On the 31st October 2018 Office 365 will discontinue support of TLS 1.0 & 1.1. Therefore, only TLS 1.2 connections will be allowed.

With regards to Exchange Hybrid situations, this doesn’t mean that TLS 1.0 & 1.1 have to be turned off. However, TLS 1.2 does have to be turned on and used for SMTP traffic to and from Office 365. Microsoft have a detailed blog series (starting here), which details everything you need to know. For this post I thought I’d highlight some of the key requirements.

Exchange Versions

My recommendation is always to run the latest CU/SP for the version of Exchange Server that you are running. Exchange 2007 and older are not supported. If you do not like to run the latest CU, you must be running the below at a minimum:

  • Exchange 2016 – CU8 (CU9 if you wish to disable TLS 1.0/1.1) & .NET 4.7.1
  • Exchange 2013 – CU19 (CU20 if you wish to disable TLS 1.0/1.1) & .NET 4.7.1
  • Exchange 2010 – SP3 RU19 (RU20 if you wish to disable TLS 1.0/1.1) & .NET 3.5.1
Windows Operating Systems

Similar to Exchange, I recommend your Windows Servers are kept up to date with the latest available updates. Below are the minimum requirements on the Windows Servers running your Exchange environment:

  • Windows Server 2016 – TLS 1.2 is the default security protocol. However, you are advised to ensure latest updates are installed
  • Windows Server 2012 R2 – TLS 1.2 is the default security protocol. However, if the OS is not completely up to date you need the security update KB3161949.
  • Windows Server 2012 – TLS 1.2 is the default security protocol. However, if the OS is not completely up to date, you need the security update KB3161949.
  • Windows Server 2008 R2 SP1 – TLS 1.2 is supported but is disabled by default. However, if the OS is not up to date, you will need the security update KB3161949 as well as the optional update KB3080079.
  • Windows Server 2008 SP2 – TLS 1.2 is not supported by default. However, if the OS is not completely up to date, you will require the security update KB4019276 and KB3161949.

Note that if you rely on SHA512 certificates you will need update KB2973337.

Enabling TLS 1.2 / Disabling TLS 1.0/1.1

The second part of Microsoft article series goes through how to enable TLS 1.2 on all server version as well as identifying clients that are not using it once enabled.

If you need to disable TLS 1.0/1.1 then the third part of Microsoft’s series explains how to do that.

Review

In conclusion, you have until the 31st October 2018 to ensure TLS 1.2 is enabled and in use between your Exchange Servers and Office 365. If Exchange and Windows are kept up to date then the process is relatively straight forward. However, if you need to perform some maintenance, then it may be time to schedule it in so that you do not have any issues when Microsoft finally stop accepting TLS 1.0 & 1.1 connections.

About the author