Disabling SSL 2.0 on your OWA website published by TMG

To help ensure the external security for Outlook Web App, you may be publishing OWA via Forefront Threat Management Gateway. You may as the result of a security audit be required to disable SSL 2.0 for PCI compliance.

To test if you need to do this, you can use online tools including those provided by https://www.ssllabs.com/ to test if you need to disable this, and ensure that SSL 3.0 is indeed enabled: 

Image

Figure 1

To disable SSL 2.0 for users accessing OWA via the Threat Management Gateway/ISA server, use Registry Editor to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

Create a new key named Server:

Image

Figure 2

Next, add a new DWORD value named DisabledByDefault and set the value to 1:

Figure 3

At an appropriate time, re-boot the TMG/ISA server. After reboot, rerun the tests and you should see SSL 2.0 is now disabled. Access to OWA and other services should be unaffected:

Image

Figure 4

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top