Lync Server 2013 加密Encryption for Lync Server 2013

 

上次修改的主题: 2017-09-14Topic Last Modified: 2017-09-14

Microsoft Lync Server 2013 使用 TLS 和 MTLS 对即时消息进行加密。Microsoft Lync Server 2013 uses TLS and MTLS to encrypt instant messages. 所有服务器到服务器的通信都需要 MTLS,无论流量是限制到内部网络还是跨越内部网络外围。All server-to-server traffic requires MTLS, regardless of whether the traffic is confined to the internal network or crosses the internal network perimeter. TLS 是可选的,但强烈建议在中介服务器和媒体网关之间进行。TLS is optional but strongly recommended between the Mediation Server and media gateway. 如果在此链接上配置了 TLS,则需要 MTLS。If TLS is configured on this link, MTLS is required. 因此,网关必须使用来自中介服务器信任的 CA 的证书进行配置。Therefore, the gateway must be configured with a certificate from a CA that is trusted by the Mediation Server.

备注

有关 SSL 3.0 的安全公告在2014中发布。A security advisory regarding SSL 3.0 was published in 2014. 在 Lync Server 2013 中禁用 SSL 3.0 是一个受支持的选项。Disabling SSL 3.0 in Lync Server 2013 is a supported option. 若要了解有关安全公告的详细信息,请参阅 https://blogs.technet.microsoft.com/uclobby/2014/10/22/disabling-ssl-3-0-in-lync-server-2013/To learn more about the security advisory, see https://blogs.technet.microsoft.com/uclobby/2014/10/22/disabling-ssl-3-0-in-lync-server-2013/.

security安全说明:Security Note:
为确保使用最强的加密协议,Lync Server 2013 将按以下顺序向客户端提供 TLS 加密协议: tls 1.2tls 1.1tls 1.0To ensure the strongest cryptographic protocol is used, Lync Server 2013 will offer TLS encryption protocols in the following order to clients: TLS 1.2 , TLS 1.1, TLS 1.0. TLS 是 Lync Server 2013 的一个关键方面,因此需要维护受支持的环境。TLS is a critical aspect of Lync Server 2013 and thus it is required in order to maintain a supported environment.

客户端到客户端的通信要求取决于该通信是否跨内部企业防火墙。严格意义上的内部通信既可以使用 TLS(加密即时消息),也可以使用 TCP(不加密即时消息)。Requirements for client-to-client traffic depend on whether that traffic crosses the internal corporate firewall. Strictly internal traffic can use either TLS, in which case the instant message is encrypted, or TCP, in which case it is not.

下表汇总了每种类型的通信的协议要求。The following table summarizes the protocol requirements for each type of traffic.

通信保护Traffic Protection

通信类型Traffic type 保护协议Protected by

服务器到服务器Server-to-server

MTLSMTLS

客户端到服务器Client-to-server

TLSTLS

即时消息和状态Instant messaging and presence

TLS(如果针对 TLS 配置)TLS (if configured for TLS)

音频、视频和媒体的桌面共享Audio and video and desktop sharing of media

SRTPSRTP

桌面共享(信号)Desktop sharing (signaling)

TLSTLS

Web 会议Web conferencing

TLSTLS

会议内容下载、通讯簿下载和通讯组扩展Meeting content download, address book download, distribution group expansion

IP-HTTPSHTTPS

媒体加密Media Encryption

媒体通信是使用安全 RTP (SRTP) 进行加密的,SRTP 是为 RTP 通信提供保密性、身份验证和重播攻击保护的实时传输协议 (RTP) 的配置文件。Media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) that provides confidentiality, authentication, and replay attack protection to RTP traffic. 此外,在中介服务器和其内部下一个跃点之间的双向媒体也使用 SRTP 进行加密。In addition, media flowing in both directions between the Mediation Server and its internal next hop is also encrypted using SRTP. 中介服务器和媒体网关之间的两个方向的媒体在默认情况下都不加密。Media flowing in both directions between the Mediation Server and a media gateway is not encrypted by default. 中介服务器能够支持对媒体网关进行加密,但该网关必须支持 MTLS 和证书存储。The Mediation Server can support encryption to the media gateway, but the gateway must support MTLS and storage of a certificate.

备注

新版本的 Windows Live Messenger 支持音频/视频 (A/V) 。Audio/Video (A/V) is supported with the new version of Windows Live Messenger. 如果要实现 Windows Live Messenger 与 A/V 联盟,则还必须修改 Lync Server 加密级别。If you are implementing A/V federation with Windows Live Messenger, you must also modify the Lync Server encryption level. 默认情况下,加密级别为“必需”。By default, the encryption level is Required. 必须使用 Lync Server 命令行管理程序将此设置更改为 "受支持"。You must change this setting to Supported by using the Lync Server Management Shell. 有关详细信息,请参阅部署文档中的 在 Lync Server 2013 中部署外部用户访问For more information, see Deploying external user access in Lync Server 2013 in the Deployment documentation.

音频和视频媒体流量在 Microsoft Lync 2013 和 Windows Live 客户端之间未加密。Audio and video media traffic is not encrypted between Microsoft Lync 2013 and Windows Live clients.

FIPSFIPS

Lync Server 2013 和 Microsoft Exchange Server 2013 在将 Windows Server 操作系统配置为使用 FIPS 140-2 算法进行系统加密的情况下,运行联邦信息处理标准 (FIPS) 140-2 算法的支持。Lync Server 2013 and Microsoft Exchange Server 2013 operate with support for Federal Information Processing Standard (FIPS) 140-2 algorithms if the Windows Server operating systems are configured to use the FIPS 140-2 algorithms for system cryptography. 若要实现 FIPS 支持,必须将运行 Lync Server 2013 的每台服务器配置为支持它。To implement FIPS support, you must configure each server running Lync Server 2013 to support it. 有关使用 FIPS 兼容的算法和如何实施 FIPS 支持的详细信息,请参阅 Microsoft 知识库文章811833,这是在 Windows XP 和更高版本的 Windows 中启用 "系统加密:将 FIPS 兼容的算法用于加密、哈希和签名" 安全设置的影响 https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=811833For details about the use of FIPS-compliant algorithms and how to implement FIPS support, see Microsoft Knowledge Base article 811833, The effects of enabling the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and in later versions of Windows at https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=811833. 有关 Exchange 2010 中的 FIPS 140-2 支持和限制的详细信息,请参阅 Exchange 2010 SP1 和支持 FIPS 兼容的算法 https://go.microsoft.com/fwlink/p/?LinkId=205335For details about FIPS 140-2 support and limitations in Exchange 2010, see Exchange 2010 SP1 and Support for FIPS Compliant Algorithms at https://go.microsoft.com/fwlink/p/?LinkId=205335.