I'm assuming his Exchange server is using a self-signed certificate? If he's got a public/real SSL cert it shouldn't be a problem. this can be easily tested by going to
https://server.company.com/oma - if you get a connection and IE/Firefox doesn't biatch, then the cert should work with the PPC.
use the search on the MS knowledgebase, I know there's a howto on the web somewhere and i think they wrote it.
note that if they're using forms based authentication on the exchange server, you'll have to jump through a bunch of extra hoops to make direct activesync work. see
here.