Encryption for Skype for Business Server 2015

Skype for Business Server 2015

마지막으로 수정된 항목: 2016-09-15

비즈니스용 Skype 서버 2015 uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS, regardless of whether the traffic is confined to the internal network or crosses the internal network perimeter. When connecting 비즈니스용 Skype 서버 2015 to 3rd party IPPBX systems or SIP trunks TLS is optional but strongly recommended between the Mediation Server and media gateway. If TLS is configured on this link, MTLS is required. Therefore, the gateway must be configured with a certificate from a CA that is trusted by the 중재 서버.

A security advisory regarding SSL 3.0 was published in 2014. Disabling SSL 3.0 in 비즈니스용 Skype 서버 2015 is a supported option. To learn more about the security advisory, see https://blogs.technet.microsoft.com/uclobby/2014/10/22/disabling-ssl-3-0-in-lync-server-2013/.
security보안 참고:
To ensure the strongest cryptographic protocol is used, 비즈니스용 Skype 서버 2015 will offer TLS encryption protocols in the following order to clients: TLS 1.2 , TLS 1.1, TLS 1.0. TLS is a critical aspect of 비즈니스용 Skype 서버 2015 and thus it is required in order to maintain a supported environment.

The following table summarizes the protocol requirements for each type of traffic.

Traffic Protection

Traffic type Protected by





Instant messaging and presence


Audio and video and desktop sharing of media


Desktop sharing (signaling)


Web conferencing


Meeting content download, address book download, distribution group expansion


Media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) that provides confidentiality, authentication, and replay attack protection to RTP traffic. In addition, media flowing in both directions between the Mediation Server and its internal next hop is also encrypted using SRTP. Media flowing in both directions between the Mediation Server and a media gateway is optionally encrypted and recommended. The Mediation Server can support encryption to the media gateway, but the gateway must support MTLS and storage of a certificate.

If you are implementing a hybrid environment, you must also modify the 비즈니스용 Skype 서버 2015 encryption level. By default, the encryption level is Required. You must change this setting to Supported by using the 비즈니스용 Skype 서버 관리 쉘. For more information about setting up hybrid, see Configure hybrid from online to on-premises in Skype for Business Server 2015 in the Deployment documentation.

비즈니스용 Skype 서버 2015 and UNRESOLVED_TOKEN_VAL(nm-exch-16) operate with support for Federal Information Processing Standard (FIPS) 140-2 algorithms if the Windows Server operating systems are configured to use the FIPS 140-2 algorithms for system cryptography. To implement FIPS support, you must configure each server running 비즈니스용 Skype 서버 2015 to support it.