I recently ran a Qualys SSL Labs server test against a couple of our external FQDNs. I noticed that the ones proxied by our Microsoft Forefront Threat Management Gateway 2010 devices all fail the test miserably with an F rating because they support insecure client-initiated renegotiation.
I've learned that this can be resolved by ensuring that KB980436 is installed and adding a DWORD value of "0" for the "AllowInsecureRenegoClients" located at HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\; however, I also saw some information that if you do this as well as disable SSL 3.0 that Outlook for Mac 2011 and 2016 clients will not be able to communicate with Exchange. We do use both Outlook for Mac 2011 and 2016 in our environment so we obviously need this to be able to talk with Exchange.
Do we really just have to live with a horribly insecure TLS configuration on our TMG servers?