Networking

TLS 1.2 Cipher Suites

Connections to Microsoft 365 require at least TLS 1.2 (see M365 supported cipher suites). Some of the services (including Teams) make use of Azure Front Door to terminate TLS connections. Because of that the list of supported Azure Front Door TLS cipher suites defines the cipher suites which must be enabled for Veeam Backup for Microsoft 365. Enable at least one of the following cipher suites on your VB365 and proxy servers. The suites are already listed in preference for security with the top secure one being on top. The ECDHE key-exchange type suites are available from Windows Server 2016 onwards.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Cipher suites can be enabled via the PowerShell cmdlet Enable-TlsCipherSuite or via Group Policy. Enabled cipher suites can be reviewed via the PowerShell cmdlet Get-TlsCipherSuite.

Customers have also reported success using third party applications such as IISCrypto for updating cipher suites and TLS versions on systems running Windows Server 2012 R2 and older.