Since OWA is a part of Exchange and not Outlook, you should probably post this "down the hall" in one of the Exchange groups.

--�
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact.
How to ask a question:
http://support.microsoft.com/KB/555375


After furious head scratching, ExchangeGuy asked:

| Hello--
|
| I'm hoping you can provide some direction. We currently are running
| Exchange 2003 Enterprise with an OWA server in the DMZ. Yes.. I know
| best practices recommend routing this traffic through an ISA server.
| There is a trusted SSL certificate on the server and we have many
| mobile device users.
|
| Anyway, on a recent scan, we received the following security notice.
|
| SSLv2 Supported
| This SSL service supports SSLv2 connections. SSLv2 has known
| cryptographic weaknesses. Secure web applications should only enable
| the SSLv3 or TLSv1 protocols. For PCI compliance validation scans,
| note that either or both of the SSLv3 or TLSv1 protocols must be
| enabled (i.e., SSLv2 can not be the only supported protocol version).
|
| They provide the following resolution suggestion:
|
| Disable the use of SSL 2.0 if possible. Note that some older client
| software may not support the most recent protocol versions.
|
| Refer to the following:
|
| Microsoft Knowledge Base article to remove SSLv2 support from
| Microsoft's Internet Information Server (IIS):
| http://support.microsoft.com/kb/187498
| http://support.microsoft.com/kb/245030
|
| I've been scouring the boards trying to find out if:
|
| 1. Does OWA 2003 support SSL v3?
| 2. If I follow the suggestions and disable SSLv2, will it affect the
| users of mobile devices running Windows Mobile 5/6?
|
| I haven't been able to locate documentation regarding the supported
| versions.
|
| Any direction would be appreciated!