Wednesday, September 4, 2013

Deploy Office Web Apps Server 2013 and external publishing

Office Web Apps Server 2013 is the central component presenting and editing Microsoft Office document with Web services. The Web Apps Server is shared with Lync, Exchange and SharePoint.

Version 1.5: 17.12.2014

Web Apps can be installed as standalone system or in a web cluster (Load Balanced).


Prerequisites:
Microsoft Office Web Apps Server was downloadable from the Download Portal. But since 24.Nov.2014 it is from now on only downloadable via the Volume Licensing  Portal and MSDN Subscription. For easy deployment, make sure you download it including Service Pack 1.
(Reference: http://blogs.technet.com/b/office_sustained_engineering/archive/2014/10/22/web-apps-server-removal-from-download-center.aspx)



While it downloads, we can configure the other prerequisites.

Windows Server 2008 R2
If you’re using Windows Server 2008R2, please download Microsoft’s .Net Framework 4.5, download Windows Management Framework 3.0, and download KB2592525, which will allow you to run the applications in a Server 2008R2 environment. Additionally apply KB2670838.
Install all of the above, Then, run this using an elevated PowerShell:

Import-Module ServerManager

Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support
 
Restart the server if you’re prompted to do so.


Note:
If Windows Server 2008 R2 reports: KB2592525 is not applicable for your computer, you need to remove the conflicting Update: KB2670838
Second Option is here: TechNet



Windows Server 2012 and Windows Server 2012 R2
you’re using Windows Server 2012, it’s even easier; Just run the following from an elevated  PowerShell (Server 2012 imports the relevant PS modules automatically, so you don’t have to use the “Import-Module” command) :



Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices

Restart the server if you’re prompted to do so.


Install the Microsoft Office Web Apps Server:

Certificate Requirements:

WAC Server
Konfiguration
externalURL
internalURL
AllowHTTP
FALSE
SSLOffloading [1]
FALSE
 
 
CertificateName
OfficeWebApp


WAC Server Sertificate
Konfiguration
Common Name
server.internalDomain.intern
 
 
SAN
server.internalDomain.intern
SAN
webapp.extDomain.de
SAN [2]
server

[1] TRUE, if HLB for SSL Offloading is used
[2] if the WAC Server is deployed without an extenalURL, the NetBIOS name might appear!
 


Now start configuring the WAC server:
New-OfficeWebAppsFarm -InternalUrl "https://internalFQDN" -ExternalUrl "https://externalFQDN" -CertificateName "OfficeWebApp" -EditingEnabled

in Lync you need only the internal Discovery URL:
https://internalFQDN/hosting/discovery

Lync 2013 Server will identify the internal and external URL configured with the WAC Server.
Now we need a verification, that Lync 2013 Frontend has the correct setting.
Filter the Lync FE EventLog for all WAC related events: 41032 and 41034

You will find an entry similar like this:

- System
  - Provider 
     [ Name]  LS Data MCU        
  - EventID 41032
     [ Qualifiers]  17402      
   Level 4
   Task 1018
   Keywords 0x80000000000000
  - TimeCreated
     [ SystemTime]  2013-09-04T11:33:32.000000000Z      
   EventRecordID 5473
   Channel Lync Server
   Computer WACinternal.domain.intern
   Security
- EventData
 
 
SNOOPER TRACING with PowerPoint  in WAC:
 
09/04/2013|14:55:10.399 558:61C INFO  ::
SERVICE sip:thomas.poett@acp-test.de SIP/2.0
Via: SIP/2.0/TLS 192.168.1.105:52102
Max-Forwards: 70
From: <sip:thomas.poett@acp-test.de>;tag=1216ee8c42;epid=fe5337abb5
To: <sip:thomas.poett@acp-test.de>
Call-ID: c858fcb8e8dd4390b20bd3957050e6d8
CSeq: 1 SERVICE
Contact: <sip:thomas.poett@acp-test.de;opaque=user:epid:qxOEj3bU1VaO18cHg7Lu4wAA;gruu>
User-Agent: UCCAPI/15.0.4517.1004 OC/15.0.4517.1004 (Microsoft Lync)
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="0A6C31A1", targetname="SVIELYNC.acp.local", crand="f0cb3d02", cnum="276", response="1ccdd5bb003db213989aeda53ed2f12c6e7d97ce"
Content-Type: application/msrtc-reporterror+xml
Content-Length: 1177
<reportError xmlns="http://schemas.microsoft.com/2006/09/sip/error-reporting"><error toUri="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:focus:id:TYQF4ZHC" callId="3a63424bce4f4542a1878cf29782fd35" fromTag="6eec3407d5" toTag="23480080" requestType="" contentType="" responseCode="0"><diagHeader>54025;reason="A viewing URL navigation was attempted.";ClientType=Lync;Build=15.0.4517.1004;ContentMCU="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:data-conf:id:TYQF4ZHC";ConferenceUri="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:focus:id:TYQF4ZHC";LocalFqdn="KOL-SRVPOETT.acp.local";Url="https://webapp.testdomain.de/m/ParticipantFrame.aspx?a=0&amp;e=true&amp;WopiSrc=https%3A%2F%2Fmgacsap40.testdomain.intern%2FDataCollabWeb%2Fwopi%2Ffiles%2F5-1-2EB85D8&amp;access_token=AAMFEHCysGizzW9ZqKYwzMlxwFQGEM34svWrZyP-zsPbJWGjNzKBEHCysGizzW9ZqKYwzMlxwFSCAtO2gyAQW9O14tatIkg7-CY3o087igqpE1IlNxyRe8SIPyn0bYYI1bAhMch30AgIDURhdGFDb2xsYWJXZWI&amp;&lt;fs=FULLSCREEN&amp;&gt;&lt;rec=RECORDING&amp;&gt;&lt;thm=THEME_ID&amp;&gt;&lt;ui=UI_LLCC&amp;&gt;&lt;rs=DC_LLCC&amp;&gt;&lt;na=DISABLE_ASYNC&amp;&gt;"</diagHeader><progressReports/></error></reportError>


Troubleshooting:
Attempted Office Web Apps Server discovery Url: https://webapps.extDomain.de/hosting/discovery/
Received error message: The remote certificate is invalid according to the validation procedure.The number of retries: 13327, since 2/27/2013 9:07:42 PM.
or
Lync 2013 PowerPoint sharing issue: “There was a problem verifying the certificate from the server. Please contact your support team.”




CERTUTIL –URLFETCH –VERIFY “OfficeWebApp.cer”
Use this command to verify if the CDP for CRL checkup is correct. This verifies the HTTP connection.

NOTE: IIS Error 500.21

For Windows Server 2008 R2
%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru
iisreset /restart /noforce


For Windows Server 2012
dism /online /enable-feature /featurename:IIS-ASPNET45



32 comments:

  1. Is there any way to monitor WAC to see who is actively using it?

    ReplyDelete
  2. Hi John,
    well monitoring is possible with WAS/ WAC.
    Microsoft automatically provide several performance counter during the server installation.
    You can e.g. monitor them with SC Operation Manager and define the threshold's.

    ReplyDelete
  3. Does the OWA url needs to be published external on TMG for example?
    So do clients communicate with the OWA ?

    ReplyDelete
  4. Hi Rommel,
    if you require external Web Conferencing Content, you must publish WAC/WAS Server.
    This has nothing to Do with Outlook Web App (OWA).
    This are two completely different aspects.

    If you indeed mean, you want WAS enabled in OWA, than this is also valid, you must publish WAS.

    Thomas

    ReplyDelete
  5. Thanks for the write up, Thomas. As far as the certificate is concerned, if using split DNS, can we get away with using one that only has the external name on it? We have an internal domain, which is .local, but after November 2015 certificates can't have the internal FQDN of the server on it. This would be similar to using a UC cert for Exchange that only has the external names for OWA, EWS, etc, and has the internal URLs reconfigured appropriately. I ask because I am integrating with Lync 2013, and I thought I read that you have to have the internal FQDN of the server on it.

    ReplyDelete
    Replies
    1. Well Jason, you can do so. having the external name only. You need to care about the intern/ extern URL settings, similar as exchange.

      Delete
  6. can you not publish the external url both internally and externally but setting an external DNS in AD?

    ReplyDelete
    Replies
    1. Hi Mark,
      this is related to the SSL Secruity checks. if Lync or other Office Server get aware about the internal FQDN, they will us this and check from the client side the Certificate SAN names, if it's matching, it process the request. If you now publish the external URL, also to the internet and the external request is routed to the WAC, the same process applies . So the external clilents are able to process the request due to matching FQDNs.
      If you run an AD related DNS Domain internally, (DNS Split Domain Concept), the same applies too.

      hope this helps
      Thomas

      Delete
  7. Just for your Information:
    Please apply the CU for WAC: http://support.microsoft.com/kb/2837634/en-us
    Issue that this update fixes:
    Assume that you have Internet Explorer 11 installed. When you try to share a presentation in a Microsoft Lync meeting in Lync 2013, the share attempt Fails.

    ReplyDelete
  8. http://blogs.technet.com/b/volume-licensing/archive/2013/05/22/how-to-license-office-web-apps-server.aspx

    Hot to license WAC Server.
    btw, editing in this case requires a valide Office 2013 Client/device license.

    That also means, the WAC Server is always free of charge

    ReplyDelete
  9. I'm planning to publish WAC externally, but I'm wondering if the internally issued cert will be valid, or do I need to replace the current certificate with one from a PublicCA?

    ReplyDelete
    Replies
    1. Hi Emanuel,
      internally you need a certificate with the CN/SN and SAN for the WAC FQDN and the NETBIOS name (depends on how you address the WAC server)
      The WAC Server will be published via the Reverse Proxy.
      And here you must have a public certificate if you use the WAC also for non domain clients.
      What does this mean:
      If you decided saving costs and the WAC is only used by clients (e.g. domain members) with have the Trusted Root CA certificate, you could publish it also with a private certificate.
      Summary:
      if non domain and public client access the WAC you must have a public certificate
      if you have client having the internal Root CA certificate trusted, you can use the private certificate.

      hope this explains all scenarios.
      Have a nice weekend
      Thomas

      Delete
  10. Thank you Thomas, that cleared up my concerns. I'm adding an additional SAN to the public certificate used on the reverse proxy, and create the listener for it with this one.

    ReplyDelete
  11. I would like to use PUBLIC certificate. Not sure how to do.

    Currently internal clients are able to open excel word pp attchment from owa. I would like them to use it from outside as well which is not working. I have one SAN certificate that, I purchased for Exchange (mail.infotechram.com). Can, I use this for Office web app server or do, I need to purchase another SAN certificate for office web app sever.

    Here is my lab setup:
    DC - Server 2012 R2
    EX -2013 SP1 (with DAG - Ex1 and Ex2)
    Office Web App - Server 2012 R2
    Skype for Business - Server 2012 R2

    I have completed integrating Exchange 2013 and Skype for Business 2015 with Office Web App Server.

    Appreciate your help.

    Ram

    ReplyDelete
    Replies
    1. Hi Ram,
      the OWA (Office Web App) Server needs to be published (either single or in Farm) with its own FQDN. Therefore you cannot use a format like https://mail.infotechram.com/owa or any other vDir. Next the OWA has to be know by Skype for Business, Lync or Exchange as Trusted System.
      The OWA Server can, but must not have a extern real FQDN, you can still set it with the externFQDN parameter, matching your external Certificate/ CN/SAN, so a SAN certificate can be used with a dedicated listener on the Reverse Proxy.
      Hope this helps

      Delete
  12. My internal and external URL for owa are HTTPS://owa.infotechram.com. I have not configured external SAN CERTIFICATE yet. The SAN I have for Exchange 2013 are mail.infotechram.com, autodiscover.infotechram.com and .infotechram.com. If I understand correctly I will need a new SAN cert or get the old SAN CERT modified to include owa.infotechram.com. let me know if I have understood the logic. Thanks RAM

    ReplyDelete
    Replies
    1. you are right, you must have a dedicated name (SAN in your case) addressing the OWA server and buy a new, or add an additional entry to it.

      Delete
  13. Replies
    1. Hi Salvador, install the debug tools on WAC and trace the messages will not work. You need to know where the conference frontend pool server is. there you can find the SIP messages.
      hope this helps you troubleshooting

      Delete
    2. Hi Thomas. We have problem sharing the ppt from internal to external users & vice versa. We have OWA Server 2013 SP1, running on WS2012 Server. InternalURL & ExternalURL are same.
      Hosting/discovery gives desired xml output both from internal and external networks. Certificate is from Digicert and the External URL is in the SAN.
      When an user tries to share PPT, gets an error "we can't connect to servers for presenting right now"
      The UCCApi logs in the external machines doesn't have the OWA ExternalURL mentioned. Does that mean it does not know where is WAC server?
      We also ping'ed all servers internally and everything is fine, sharing ppt, wallboard, poll works fine between two internal users.
      Kindly help us resolve this

      Delete
    3. Hi guruspatil,
      well it seems you have an issue with the reverse proxy. if it is working internally between users, you have mostly no need investigating on the WAC/OWA.

      Delete
  14. Hi Thomas. Thanks for the response. Reverse proxy looks fine, we are using Kemp Loadmaster.
    One more strange thing is; netstat -n | find "8057" doesn't give any results i two FE (We have one pool with 3 FE). FE1 gives desired results. FE2 FE3 returns blank. We also get the error ID 41026 in FE2 FE3.
    Is that the reason why we are not able to share the PPT, Poll, Wallboard? Kindly help.

    ReplyDelete
    Replies
    1. Acually not.
      The 8057 is conferencing, but the WAC URL is distributed to the client and connects directly. So if its not working, the URL isn't published correctly or the WAN isn't working

      Delete
  15. Hi Thomas. We are still living with the problem. Whenever an external users shares presentation (desktop), immediately two events are generated in Edge (we have single edge with one public IP)
    Event ID 36888 & 36874

    Please help me

    Error ID 36888: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
    Error ID 36874: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed

    ReplyDelete
    Replies
    1. Await to hear from you Thomas!

      Delete
    2. HI just two advices, first never use a single IP, due to blocking on opposite firewalls, mostly you use 444 port wich is never opened at any corporate firewall, with cause trouble with CCCP.
      your issue seem a problem with the certificate you are using, leading into a problem with TLS negotiation.
      The error 36888 is false positiv http://support.microsoft.com/kb/260729
      and can be ignored. So you keep with your second error only and here it a problem as said with the certificate itself. Mostly I guess the usage is wrong in your certificate.

      Delete
    3. SHA 512 might be chosen, check this. So the workaround would be to create certificates based on SHA 384 or SHA 256

      Delete
  16. when i trying to browse wac URL on client machine it cannot be browsed from one machine but can be browsed from another machine in another site.
    note there is one owa server in the environment.
    what to do please ??

    ReplyDelete
    Replies
    1. mostly there are two areas you should look in, firewall or a proxy server. I would instantly bet on the proxy server.

      Delete
  17. Hi Thomas,
    in my case WAC is working fine if both users connected to external network ,
    it does not works when both users are on internal lan/vpn or one is on office lan and another is on external.
    i can download the XML , checked all required ports.
    its a strange one.

    ReplyDelete
    Replies
    1. Hi Firoj,
      the VPN issue could be the WAC network access.
      please explore also:
      Deployment of the internal certificates (root CA) and or if an internal Proxy is used. Proxies are causing issues.
      Please let me know if it helped
      Thomas

      Delete
    2. Hi Thomas,

      thanks for reply, automatic proxy is getting used and all internal traffic is default allowed. for certificate we followed as below described and WAC internal and external URL are same with https.
      FQDN: OwaExtWeb.
      Certificate SN: OwaExtWeb.
      Certificate SAN: wacsrv1.
      Certificate SAN: wacsrv2.
      EKU: server
      Root certificate: private CA
      no events are generating now (41032,41034), though i can genrate XML file (local, LAN, internet) but unable to test https://fqdn.op/generate on local server (error "Wrong File Type")
      is there a way if we could add static rout for servers and this can be verified ?

      Delete