Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

Add_docset_workflow

AUTH1	UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
DEV1	UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cc5207f0, userName='null'}
LDEV1	UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
SVT1	UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cef30cd0, userName='null'}
LSVT1	UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
AUTHJID	SYM-20206

Include Page

	Not_for_SWe
	Not_for_SWe

This operation is optional

allowing

, and allows SBA administrators to configure the security settings for roles, role services, and features on the SBA. This

basically

applies security rules to the Windows Server 2008 R2 operating system on the ASM hosting the SBA, and improves system hardening (i.e., reducing its surface of vulnerability).

You can do so by either Applying a

Predefined

Security Template, or Importing a Custom Security Template of choice. The following is a list of the main groups of security rules that are modified:

Microsoft OS Services
Microsoft OS Networking Firewall
Microsoft OS Registry Values
Microsoft OS Audit
Microsoft OS SCE Templates

Section

Column

width	380px

Align

align	right

Table plus

columnAttributes	style="text-align:center;vertical-align:middle;",style="text-align:left;vertical-align:middle;"
autoNumber	false
enableSorting	false

Status	Lync SBA Branch Site Tasks
	Step 1 - Configuring the ASM IP Settings
	Step 2 - Joining the ASM to a Domain
	Step 3 - Deploying the SBA
	Step 4 - Generate and Import an SBA Certificate
	Step 5 - Starting the SBA Services
Now →	Step 6 - Applying an SBA Security Template

Applying

...

an SBA Security Template

Warning
Once the security template is applied, the action cannot be reversed. In order to disable the security template, the ASM has to be re-initialized.

...

Enables data execution protection
Enables firewall
Disables domain users from logging into the ASM
Enables only local administrator login

Pagebreak

...

Apply

...

Security Template

In the WebUI, access Tasks> Lync Survivable Branch Appliance (or Skype for Business Survivable Branch) > Setup SBA.
Rules Template. PanelborderStylenone
Click Security.

Caption
0 Figure
1 Apply
Predefined
Security Template
Image Removed
Click OK. The operation will take up to to 5 minutes to complete.

Importing a Custom Security Template

...

Image Added

From the Apply Version drop down list, select the applicable TLS option (TLS 1.2 Only or TLS 1.0-1.2).

Note
The following are limitations for using TLS 1.2 Only or TLS 1.0-1.2 Valid for Skype for Business On Premises SBA only. Valid for WS2012R2 ASM. Valid with the following clients: Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher. Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher, including Basic. Skype for Business 2016 Click to Run Require the April 2018 Updates: Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher Requires Skype for Business - March 2018 or Higher Cumulative Updates. Refer to Installing Cumulative Updates for Lync SBA. Requires ASM RollUp June 2018. Apply the Security Template after applying the the ASM Roll-Up. Refer to ASM Roll-up Update. Before enabling TLS 1.2 Only on SBA, prepare your Skype for Business environment: https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1

Note

The following are limitations for using TLS 1.2 Only or TLS 1.0-1.2

Valid for Skype for Business On Premises SBA only.
Valid for WS2012R2 ASM.
Valid with the following clients:
- Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher.
- Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher, including Basic.
- Skype for Business 2016 Click to Run Require the April 2018 Updates:
  - Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
  - Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
Requires Skype for Business - March 2018 or Higher Cumulative Updates. Refer to Installing Cumulative Updates for Lync SBA.
Requires ASM RollUp June 2018. Apply the Security Template after applying the the ASM Roll-Up. Refer to ASM Roll-up Update.
Before enabling TLS 1.2 Only on SBA, prepare your Skype for Business environment: https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1

Click Apply TLS Version.
For Microsoft SBA Security Hardening, click Apply Default Template. If SBA Security Hardening has been run on the SBA at deployment, this field will be greyed out.
For Custom Security Template, click Browse and select the applicable Security XML file. You need a Windows Server security template XML file created using the Microsoft Security Configuration Wizard (SCW)

...

. Refer to the following for how to create the file:

Caption

0	Figure
1	Windows Security Templates

Windows Version	Microsoft Security Configuration Wizard Reference
Windows 2008	Microsoft Security Configuration Wizard (SCW)
Windows 2008R2 Windows 2012R2	Microsoft Security Configuration Wizard (SCW)

Click Submit Security Template file. The operation will take up to to five minutes to complete.

Verify TLS Version is Applied

In the WebUI, access Settings > Application Solution Module > Operational Status (or via Tasks > Application Solution Module > Operational Status).
Under Windows Status > TLS Version, view the current, enabled TLS version.
Caption
0 Figure
1 View Enabled TLS Version
Image Added

Space shortcuts

Page tree