Outlook 2011 to use SSLV3

Hi,

 

This is my first post. I dont have much experience with Macs. I've had a look through the settings but cant find what I need to use SSLV3. Recently we had our TMG gateway security increased to block SSLV2 as per this http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html since then the mac users cannot access the our exchange when working from an external connection. The mac users are able to work ok when on the corp network as they arent hitting the TMG. Other users running Win7/8 with Outlook are working ok on and off the corp network. Webmail works ok externally as well.

 

I am trying to find out if there is a way to force Outlook 2011 to use SSLV3

 

 

 

I've checked the certificates and they are for Lync.

 

Thanks in advance.

Dave

 

Question Info


Last updated October 22, 2018 Views 5,878 Applies to:
Answer
Answer

Our organization recently disabled SSLv2 on our Forefront TMG box, and all of our Mac's fell off the E-mail wagon, similar to what you describe. The problem isn't disabling SSLv2, as we were able to resolve this problem.

In the same link you posted, http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html , the problem rests in the step of changing SChannel's mode from compatible to strict, which was modified using the following "navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\ and create a new DWORD value called AllowInsecureRenegoClients set to 0. Restart the TMG firewall for this change to take effect."

As I was methodically going through the settings trying to get our Mac Clients reconnected, as soon as I changed the setting from "0" to "1", my mac immediately connected back to Exchange through the TMG box.

Changing this setting to a "1" will still give your TMG box a rating of an "A-" if you test it against the same test as described in the isaserve.org article.

Note when making this change, all you should need to do is restart the TMG Firewall Service, you should not need to reboot the server.

Here is some more information on what this key setting is supposed to mitigate. http://blogs.technet.com/b/isablog/archive/2013/09/18/isa-2006-tmg-2010-disable-client-initiated-ssl-renegotiation-protecting-against-dos-attacks-and-malicious-data-injection.aspx

I should also note that we have the following setting on our TMG server, and Macs do connect.

 If the DisableRenegoOnServer subkey is present and has any nonzero value

  

o Server initiated renegotiation is not allowed.

   

o The server will not respond to renegotiation requests from the client.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Answer
Answer
Microsoft really needs to allow Outlook for Mac to utilize TLS 1.2 instead of SSL 2.0 handshakes. My understanding is that Outlook 2016 for Mac still suffers from this problem and requires an insecure server configuration on either the Exchange server or reverse proxy in order to support it.  Unbelievable!

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.