Exchange 2003 was very different in how you access Outlook Web Access than in Exchange 2007. In 2003, the actual back end server, and more specifically STORE.EXE, was responsible for generating the OWA view. In 2007, the Client Access Server is responsible for it.
During your migration, you will no doubt have a point where there are Client Access Servers now serving your internal or external OWA page, with users having mailboxes on 2003 servers. If you are a smaller installation, say you only had 1 or 2 Exchange 2003 servers, you may not have had 2003 Front End servers, and this would mean users would access the server directly for OWA.
Since you are a good admin, and you wanted to encrypt and protect your users and their data, you have enabled Forms Based Authentication, which means you have deployed SSL.
Now, when your users attempt to log into their OWA page, after inputting their user name in password in the 2007 forms based page, they receive the following message:
This is because you have checked on the 2003 Back End server to require SSL in IIS, you most likely did it on the properties of the Default Web Site:
To change this behavior, you need to disable “Require Secure Channel (SSL)” on the following virtual directories:
This is because the Client Access Service proxies your request to the 2003 Back End server in HTTP, not HTTPS.
After you make this change, you will be able to access the OWA page for 2003 users through the CAS servers without issue. Also, if you enable Integrated Windows Authentication on the /Exchange directory, this will stop your passwords from being sent in plain text if they try to access the OWA page directly from the 2003 server internally. Still keep port 80 closed externally of course!