Hello--

I'm hoping you can provide some direction. We currently are running
Exchange 2003 Enterprise with an OWA server in the DMZ. Yes.. I know
best practices recommend routing this traffic through an ISA server.
There is a trusted SSL certificate on the server and we have many
mobile device users.

Anyway, on a recent scan, we received the following security notice.

SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known
cryptographic weaknesses. Secure web applications should only enable
the SSLv3 or TLSv1 protocols. For PCI compliance validation scans,
note that either or both of the SSLv3 or TLSv1 protocols must be
enabled (i.e., SSLv2 can not be the only supported protocol version).

They provide the following resolution suggestion:

Disable the use of SSL 2.0 if possible. Note that some older client
software may not support the most recent protocol versions.

Refer to the following:

Microsoft Knowledge Base article to remove SSLv2 support from
Microsoft's Internet Information Server (IIS):
http://support.microsoft.com/kb/187498
http://support.microsoft.com/kb/245030

I've been scouring the boards trying to find out if:

1. Does OWA 2003 support SSL v3?
2. If I follow the suggestions and disable SSLv2, will it affect the
users of mobile devices running Windows Mobile 5/6?

I haven't been able to locate documentation regarding the supported
versions.

Any direction would be appreciated!