OK, finally tracked this one down. It turns out it wasn't a port on the server instance, but one on the forwarder instance (on the same machine). web.conf had the mgmtHostPort set, and adding an sslVersions = tls1.2 in server.conf solved the problem and I now have clean scans.
Thanks all for the help.
... View more