DEPLOY A SINGLE-SERVER OFFICE WEB APPS SERVER FARM THAT USES HTTPS Introduced in Lync Server 2013 is the requirement of Office Web Apps Server to support the use of PowerPoint Presentations in Lync Online Meetings. Office Web Apps Server Farm will provide Office Web Apps functionality to SharePoint 2013, Lync Server 2013, and Exchange Server 2013 ones is properly configured for each of the products mentioned above.
REQUIREMENTS AND PREREQUISITES Office Web Apps cannot be collocated on any Lync Server, use dedicated Server with fresh installation of Windows 2008 R2 SP1, Windows 2012 or Windows 2012 R2. WINDOWS 2008 R2 SERVER NEEDS THE FOLLOWING SOFTWARE COMPONENTS:.NET Framework 4.5 Windows Management Framework 3.0 KB2592525 WINDOWS 2008 R2 SERVER NEEDS THE FOLLOWING COMPONENTS: Import-Module ServerManager Add-WindowsFeature Web-Server,Web-WebServer,Web-Common- Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web- Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web- Includes,Web-Security,Web-Windows-Auth,Web- Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web- Mgmt-Console,Ink-Handwriting,IH-Ink-Support WINDOWS 2012 AND WINDOWS 2012 R2 SERVERS NEED THE FOLLOWING COMPONENTS: Import-Module ServerManager Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt- Console,Web-WebServer,Web-Common-Http,Web-Default- Doc,Web-Static-Content,Web-Performance,Web-Stat- Compression,Web-Dyn-Compression,Web-Security,Web-
Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net- Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web- Includes,InkandHandwritingServices,NET-Framework- Features, NET-Framework-Core, NET-HTTP-Activation, NET- Non-HTTP-Activ, NET-WCF-HTTP-Activation45 INSTALLATION OF OFFICE WEB APPS SERVER Download the following files: Microsoft Office Web Apps Server 2013 (Install First) Update for Microsoft Office Web Apps Server 2013 (KB2837634) (Install Second) Default installation is perfectly fine. The installation process is fast and straightforward, ones the installation of Microsoft Office Web Apps Server 2013 completed run the Update for Microsoft Office Web Apps Server 2013 (KB2837634)
For production environments, is strongly recommend the use of HTTPS using HTTPS will allow to implement Office Web Apps Server functionality for Lync Server 2013, HTTPS is must requirement if you want to implement Office Web Apps for Lync 2013. Ones implemented it will allow Lync 2013 Clients to view PowerPoint Files in meeting or IM session. Installing SSL Certificate on the Server used for Office Web Apps is a MUST requirment.
THE FOLLOWING IS DESCRIPTION AND REQUIREMENTS FOR CERTIFICATE: CERTIFICATES USED BY OFFICE WEB APPS SERVER NEED TO MEET THE FOLLOWING REQUIREMENTS: The Certificate must come from a trusted Certificate Authority and include the Fully Qualified Domain Name (FQDN) of the Office Web Apps Server Farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won t process the request.) The Certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate. The Friendly Name Field MUST be unique within the Trusted Root Certificate Authorities Store. If there are multiple Certificates that share a Friendly Name Field, FARM CREATION WILL FAIL because the New-OfficeWebAppsFarm cmdlet will not know which of those Certificates to use. The FQDN in the SAN field cannot begin with an asterisk (*). Office Web Apps Server DOES NOT REQUIRE ANY SPECIAL CERTIFICATE PROPERTIES OR EXTENSIONS. EXAMPLE: Client Enhanced Key Usage (EKU) extensions or Server EKU extensions are not required.
THE CERTIFICATE MUST BE IMPORTED AS FOLLOWS: FOR SINGLE-SERVER FARMS The Certificate MUST be imported directly on the Server that runs Office Web Apps Server. Do not bind the Certificate manually. The command New- OfficeWebAppsFarm cmdlet will do the proper import. IF YOU BIND THE CERTIFICATE MANUALLY, IT WILL BE DELETED EVERY TIME THE SERVER RESTARTS. FOR LOAD-BALANCED FARMS If you are offloading SSL, the certificate must be imported on the hardware load balancer. If you re not offloading SSL, you ll need to install the certificate on each server in the Office Web Apps Server farm. NOTE: DO NOT USE SELF-SIGNED CERTIFICATES EXCEPT IN NON-CRITICAL TEST ENVIRONMENTS. USING SSL OFFLOADING FOR HARDWARE LOAD BALANCERS When you set up a new Office Web Apps Server farm, SSL offloading is set to OFF by default. If you are using a hardware load balancer, we recommend you set SSL offloading to On so that each Office Web Apps Server in the farm can communicate with the load balancer by using HTTP. Setting SSL offloading to ON also provides the following advantages:
SIMPLIFIED CERTIFICATES MANAGEMENT IMPROVED SOFT AFFINITY IMPROVED PERFORMANCE Note that when you use HTTP, traffic from the Load Balancer to the Servers that run Office Web Apps Server is not encrypted, so you need to make sure the network itself is secure. Use of a Private Subnet can help protect traffic. RESTRICT WHICH SERVERS CAN JOIN AN OFFICE WEB APPS SERVER FARM BASED ON OU MEMBERSHIP You can prevent unauthorized servers from joining an Office Web Apps Server farm by creating an organizational unit for those servers and then specifying the FarmOU parameter when you create the farm. For more information about the FarmOU parameter, see New- OfficeWebAppsFarm. LIMIT HOST ACCESS FOR OFFICE WEB APPS SERVER BY USING THE ALLOW LIST The Allow List is a security feature that prevents unwanted hosts from connecting to an Office Web Apps Server farm and using it for file operations without your consent. By adding the domains that contain approved hosts to the Allow List, you can limit the hosts to which Office Web Apps Server allows file operations requests, such as file retrieval, metadata retrieval, and file changes. You can add domains to the Allow List after you ve created the Office Web Apps Server farm.
HERE IS THE PROCEDURE: NEW-OFFICEWEBAPPSHOST APPLIES TO: OFFICE WEB APPS SERVER Adds a host domain to the Allow List for an Office Web Apps Server farm. New-OfficeWebAppsHost -Domain <String> PARAMETERS PARAMETER REQUIRED TYPE DESCRIPTION Domain Required System.String Specifies the domain to add to the Allow List. Do not specify an asterisk or start it with a period. DETAILED DESCRIPTION The New-OfficeWebAppsHost cmdlet adds a host Domain to the list of host Domains to which Office Web Apps Server allows file operations requests, such as file retrieval, metadata retrieval, and file changes. This list, known as the Allow List, is a security feature that prevents unwanted hosts from connecting to an Office Web Apps Server farm and using it for file operations without your knowledge. The wildcard * is assumed for any Domain that is added to the Allow List so that requests to all Subdomains are also allowed. EXAMPLE: If you add the Domain contoso.com to the Allow List, Office Web Apps Server also allows requests to the Domains corp.contoso.com and dev.contoso.com. Requests to other Domains (such as fabrikam.com) are not allowed.
CAUTION: If there are no Domains on the Allow List, Office Web Apps Server allows file requests to hosts in any Domain. Do not leave this list blank if your Office Web Apps Server farm is accessible from the Internet. Otherwise, anyone can use your Office Web Apps Server farm to view and edit content. EXAMPLE ------------------EXAMPLE 1------------------------------------------------------------ New-OfficeWebAppsHost domain contoso.com This example adds the domain contoso.com to the Allow List. NOTE: You cannot add multiple host domains to the Allow List all at the same time. You must run the New-OfficeWebAppsHost cmdlet for each host domain that you want to add to the Allow List. IMPORTANT: If you do not add domains to the Allow List, Office Web Apps Server allows file requests to hosts in any domain. Don t leave this list blank if your Office Web Apps Server farm can be accessed from the Internet. Otherwise, anyone can use your Office Web Apps Server farm to view and edit content.
SECURING OFFICE WEB APPS SERVER COMMUNICATIONS BY USING HTTPS THE 3 STEPS TO DEPLOY OFFICE WEB APPS SERVER ARE: STEP 1: CREATE THE OFFICE WEB APPS SERVER FARM Use the New-OfficeWebAppsFarm command to create a new Office Web Apps Server farm that consists of a single server, as shown in the following example.
EXAMPLE1: Command configuring Internal & External URL New-OfficeWebAppsFarm -InternalUrl "https://owa.contoso.com" -ExternalUrl "https:// owa.contoso.com" -CertificateName " owa.contoso.com" EditingEnabled EXAMPLE2: Command configuring Internal URL New-OfficeWebAppsFarm -InternalUrl https://owa.contoso.com -CertificateName "owa.contoso.com" EditingEnabled If command completes successfully the following output is displayed: Setting EditingEnabled to TRUE. You should only do this if users of this Office Web Apps Server have licenses that permit editing using Office Web Apps. Continue with this operation? [Y]Yes [N]No [S]Suspend [?]Help (default is "Y"):Y FarmOU : InternalURL : https://owa.contoso.com/ ExternalURL : AllowHTTP SSLOffloaded CertificateName EditingEnabled : False : False : OWA.contoso.com : True LogLocation : C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS LogRetentionInDays : 7 LogVerbosity : Proxy :
CacheLocation : C:\ProgramData\Microsoft\OfficeWebApps\Working\d MaxMemoryCacheSizeInMB : 75 DocumentInfoCacheSize : 5000 CacheSizeInGB : 15 ClipartEnabled TranslationEnabled : False : False MaxTranslationCharacterCount : 125000 TranslationServiceAppId : TranslationServiceAddress : RenderingLocalCacheLocation : C:\ProgramData\Microsoft\OfficeWebApps\Working\waccache RecycleActiveProcessCount : 5 AllowCEIP : False ExcelRequestDurationMax : 300 ExcelSessionTimeout : 450 ExcelWorkbookSizeMax : 10 ExcelPrivateBytesMax : -1 ExcelConnectionLifetime : 1800 ExcelExternalDataCacheLifetime : 300 ExcelAllowExternalData ExcelWarnOnDataRefresh OpenFromUrlEnabled OpenFromUncEnabled OpenFromUrlThrottlingEnabled PicturePasteDisabled : True : True : False : True : True : True RemovePersonalInformationFromLogs : False
AllowHttpSecureStoreConnections Machines : False : {OWA} PARAMETERS InternalURL is the Fully Qualified Domain Name (FQDN) of the Server that runs Office Web Apps Server, such as http://servername.contoso.com. ExternalURL is the FQDN that can be accessed on the Internet. CertificateName is the Friendly Name of the Certificate. EditingEnabled is optional and enables editing in Office Web Apps when used with SharePoint 2013. This parameter isn't used by Lync Server 2013 or Exchange Server 2013 because those hosts don't support editing. Additional parameters that configure translation services, proxy servers, ClipArt support, and Online Viewers are described in New- OfficeWebAppsFarm. If you see 500 Web Service Exceptions or 500.21 Internal Server Error messages
STEP 2: VERIFY THAT THE OFFICE WEB APPS SERVER FARM WAS CREATED SUCCESSFULLY After the farm is created, details about the farm are displayed in the Windows PowerShell prompt. To verify that Office Web Apps Server is installed and configured correctly, use a web browser to access the Office Web Apps Server discovery URL, as shown in the following example. The discovery URL is the InternalUrl parameter you specified when you configured your Office Web Apps Server farm, followed by /hosting/discovery, for example: https://server.contoso.com/hosting/discovery If Office Web Apps Server works as expected, you should see a Web Application Open Platform Interface Protocol (WOPI)-discovery XML file in your web browser. The first few lines of that file should resemble the following example: <?xml version="1.0" encoding="utf-8"?> <wopi-discovery><net-zone name="internal-https"><app name="excel" checklicense="true" faviconurl="https://wac.contoso.com/x/_layouts/images/f avicon_excel.ico"><action name="view"
urlsrc="https://wac.contoso.com/x/_layouts/xlviewerinte rnal.aspx?<ui=ui_llcc&><rs=dc_llcc&>" default="true" ext="ods"/><action name="view" urlsrc="https://wac.contoso.com/x/_layouts/xlviewerinte rnal.aspx?<ui=ui_llcc&><rs=dc_llcc&>" default="true" ext="xls"/><action name="view" NOTE: Depending on the security settings of your web browser, you might see a message that prompts you to select Show all content before the contents of the discovery XML file are displayed. STEP 3: CONFIGURE THE HOST The farm is now ready to provide Office Web Apps functionality to hosts over HTTPS. Visit the following articles for more information about how to configure hosts.
CONFIGURING INTEGRATION WITH OFFICE WEB APPS SERVER AND LYNC SERVER 2013 LYNC SERVER 2013 Lync Server 2013 employs Office Web Apps Server to handle PowerPoint presentations. For information about the advantages to this approach, see Web Conferencing Overview. In order to use these new capabilities administrators must install Office Web Apps Server and must configure Lync Server 2013 to communicate with Office Web Apps Server. CONFIGURING LYNC SERVER 2013 TO WORK WITH OFFICE WEB APPS SERVER LYNC SERVER 2013 Before you can configure Lync Server 2013 to use Office Web Apps Server, Office Web Apps Server must be deployed and configured. After Office Web Apps Server has been successfully installed and your Web farm correctly configured, you must then configure Lync Server 2013 to communicate with the new Server; this is done by adding the Office Web Apps Server discovery URL to your Lync Server topology. To add Office Web Apps Server to your topology, complete the following steps: 1. Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Topology Builder. 2. In the Topology Builder dialog box, select Download Topology from existing deployment and then click OK.
3. In the Save Topology As dialog box, type a name for your topology document (for example, PreWebAppsServerTopology) in the File name box and then click Save. This topology can later be retrieved and republished if you encounter problems with your new topology. 4. In Topology Builder, expand Lync Server 2013, expand the name of your site, expand Enterprise Edition Front End pools, right-click the name of one of your pools, and then click Edit Properties. 5. In the Edit Properties dialog box, on the General tab, find the heading Associate Office Web Apps Server and then click New (or select an existing Office Web Apps Server from the drop-down list). 6. In the Define New Office Web Apps Server dialog box, type the fully qualified domain name (FQDN) of your Office Web Apps Server computer in the Office Web Apps Server FQDN box; when you do this, your Office Web Apps Server discovery URL should automatically be entered into the Office Web Apps Server discovery URL box. If the Office Web Apps Server is installed on-premises and in the same network zone as Lync Server 2013 then the option Office Web Apps Server is deployed in an external network (that is, perimeter/internet) should not be selected. If the Office Web Apps Server is deployed outside your internal firewall, then select the option Office Web Apps Server is deployed in an external network (that is, perimeter/internet). 7. In the Define New Office Web Apps Server dialog box, click OK, and then click OK in the Edit Properties dialog box. The Office Web Apps discovery URL will then be listed as one of the pool's Associations. You will have to repeat this process for each pool that needs to be associated with your Office Web Apps Server. After you have added the discovery URL to the topology you must then publish this updated topology. To do that in Topology Builder: 1. Click Action and then click Publish Topology. 2. In the Publish Topology wizard, on the Publish the Topology page, click Next. 3. On the Publishing wizard complete page, click Finish. 4. Close Topology Builder.
VALIDATING THE CONFIGURATION OF OFFICE WEB APPS SERVER LYNC SERVER 2013 After Office Web Apps Server has been added to the topology, and after that topology has been published, you should see two new event log events in the Lync Server event log. First, an LS Data MCU event (EVENT ID 41032) should be added; this event will report that the Office Web Apps Server has been discovered: Web Conferencing Server WAC is discovered, PowerPoint content is enabled. In addition to that you should see another LS Data MCU event (EVENT ID 41032) that reports back Office Web Apps Server URLs. For example, you should see something similar to this: Web Conferencing Server WAS discovery has succeeded. WAC internal presenter page: https://atl-officewebapps- 001.litwareinc.com/m/Presenter.aspx?a=0&embed= WAC internal attendee page: https://atl-officewebapps- 001.litwareinc.com/m/ParticipantFrame.aspx?a=0&embed=true&= WAC external presenter page: https://atl-officewebapps- 001.litwareinc.com/m/Presenter.aspx?a=0&embed WAC internal attendee page: https://atl-officewebapps- 001.litwareinc.com/m/ParticipantFrame.aspx?a=0&embed=true& If you see an LS Data MCU event with the EVENT ID OF 41033 that means that Office Web Apps Server discovery has failed. In that case, Microsoft Lync Server 2013 will try as many times as needed to discover the newly-
configured Office Web Apps Server. If the discovery process fails repeatedly you should remove Office Web Apps Server from your topology document, publish the updated topology, and then try adding Office Web Apps Server back to the topology after the connectivity issues have been resolved. If Office Web Apps Server appears to be configured correctly and has been recognized by the discovery process you can verify that Office Web Apps Server is working as expected by sharing a PowerPoint presentation between a pair of Microsoft Lync 2013 clients. IF USER A CAN LOAD AND DISPLAY THE POWERPOINT PRESENTATION AND IF USER B CAN THEN JOIN THE MEETING AND SEE THAT PRESENTATION THEN OFFICE WEB APPS SERVER IS WORKING. EVEN IF OFFICE WEB APPS SERVER APPEARS TO BE CONFIGURED CORRECTLY, YOU COULD POTENTIALLY RECEIVE THE ERROR MESSAGE SOME SHARING FEATURES ARE UNAVAILABLE DUE TO SERVER CONNECTIVITY ISSUES WHEN YOU TRY SHARING A POWERPOINT PRESENTATION. IF YOU RECEIVE THAT ERROR MESSAGE YOU SHOULD RESTART THE FRONT END SERVER (OR SERVERS) ASSOCIATED WITH THE NEW OFFICE WEB APPS SERVER. CONFIGURING CLIENTS FOR USE WITH OFFICE WEB APPS SERVER LYNC SERVER 2013 If you want users to experience the full capabilities of Office Web App Server then you should upgrade those users to Microsoft Lync 2013; only users of Lync 2013 will be able to do such things as scroll through PowerPoint slides independent of the actual PowerPoint presentation. (That is, these users can look at any slide in the presentation at any time,
without interfering in any way with the actual presentation.) Users who are not using Lync 2013 will still be able to join online conferences and view the PowerPoint presentation; however, they will not be able to independently scroll through the slides, nor will they be able to see slide transitions or view embedded videos. Note that these capabilities will always be available to users of Lync 2013; this is true even if the PowerPoint presenter is running Microsoft Lync 2010. If a PowerPoint presentation is being hosted by a user running Lync 2010, Lync Server 2013 will coordinate with Office Web Apps Server to make sure that Lync 2013 users will view the Office Web Apps Server version of that presentation. Office Web Apps Server does not provide PowerPoint services for users running clients other than Lync 2013. Instead, those users connect to the Conferencing server service and view PowerPoint presentations the same way they did in Microsoft Lync Server 2010. This also means that these users will only have access to the morelimited capabilities offered by Lync Server 2010. Although no client configuration is required for Office Web Apps Server (other than upgrading users to Lync 2013), it is recommended that conference attendees be upgrade to Internet Explorer 9. Although conferences can be accessed using Internet Explorer 8, there are some limitations to using that Web browser. For example, users of Internet Explorer 8 will not be able to resize the PowerPoint stage to a custom size; instead, they will be limited to using one of three predefined stage sizes. Likewise, Internet Explorer 8 users will not be able to play media files.