How to disable TLS 1.0 on exchange 2010

We had a PCI scan and it wants us to disable TLS 1.0 on our server 2008 R2 server running Exchange 2010 (14.03.0248.002). I used IIS Crypto 1.6 build 7 to disable it. SSLLabs gives us an A now, but autodiscover stoped working correctly. I used the "Test E-mail AutoConfiguration" tool and it says…

Auoconfiguration was unable to determine your setting!

in the log tab…

Attempting URL xttps://mail.example.com/autodiscover/autodiscover.xml found through SCP
Autodiscover to xttps://mail.example.com/autodiscover/autodiscover.xml stating GetLastError=12030; xttpStatus=0.
Autodiscover to xttps://mail.example.com/autodiscover/autodiscover.xml Failed (0x800C8203)

ERROR_WINHTTP_CONNECTION_ERROR

12030

The connection with the server has been reset or terminated, or an incompatible SSL protocol was encountered. For example, WinHTTP version 5.1 does not support SSL2 unless the client specifically enables it.

I did some google searched and did find much. Any Ideas how to do this?

Best Answer

Sam,

Per this TechNet discussion, it may still be the case that TLS 1.0 is required for Exchange 2010 to function properly.

There is KB article that includes a fix for this: https://support.microsoft.com/en-us/kb/3029667

However, the TechNet discussion still states it may not resolve it correctly and Exchange 2010 could still have issues:

After installing Rollup 9 and ensuring 1.0 and SSL 3 are disabled, SMTP should begin using 1.1 or 1.2 without further changes. As you mentioned, Exchange Web Services (Out of Office, Free/Busy) will not function correctly with this current implementation.

Best Answer

Related Solutions

Exchange 2010 – Disable Address Rewrite per Account

Ssl – How to disable TLS 1.0 without breaking RDP

Related Topic