Hi all,
Due to the POODLE vulnerability and TLS 1.0 showing as enabled on one of our external scans, we were informed that we would need to disable SSL 3.0 and TLS 1.0 on our Exchange server.
Apparently, this wouldn't even be possible until Update Rollup 9 was released on 3/16/15:
Rollup resolves:
After installing this update, SSL 3.0 and TLS 1.0 were disabled and the servers rebooted (cross site, same domain, two Exchange servers). After resolving some issues with certificates that apparently broke as a result of the changes, we found that EWS was not working - the log full of these errors:
Process 5776: ProxyWebRequest CrossSite from S-1-5-21-3895483984-2032760896-3917300074-1259 to https://mail.exchange.com:443/ews/exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
------------------------------------------------------
The EWS directory in IIS on both servers are set to use Anonymous and Windows Authentication. The main issues observed outside of the above errors was that free/busy information could not be viewed.
After rebuilding the EWS virtual directory and a couple reboots later, we tried enabling TLS 1.0 on both servers, rebooted, and there were no more EWS errors to be found - free/busy was also working.
So it appears that although this rollup allows SMTP to use TLS 1.1 or 1.2, EWS is still attempting to use TLS 1.0, and I don't see that it is possible to change this