tag:blogger.com,1999:blog-2319482230418374994.post2292937023390579332..comments2024-03-04T18:32:32.992+01:00Comments on Thomas.Poett@TEAMS (MVP Teams and Cross-Tenant Migration Specialist): Deploy Office Web Apps Server 2013 and external publishingThomas Poetthttp://www.blogger.com/profile/13568662308788859113noreply@blogger.comBlogger32125tag:blogger.com,1999:blog-2319482230418374994.post-41738594562960557262017-07-10T19:43:05.757+02:002017-07-10T19:43:05.757+02:00Hi Thomas,
thanks for reply, automatic proxy is ...Hi Thomas, <br /><br />thanks for reply, automatic proxy is getting used and all internal traffic is default allowed. for certificate we followed as below described and WAC internal and external URL are same with https.<br />FQDN: OwaExtWeb.<br />Certificate SN: OwaExtWeb.<br />Certificate SAN: wacsrv1.<br />Certificate SAN: wacsrv2.<br />EKU: server<br />Root certificate: private CA<br />no events are generating now (41032,41034), though i can genrate XML file (local, LAN, internet) but unable to test https://fqdn.op/generate on local server (error "Wrong File Type")<br />is there a way if we could add static rout for servers and this can be verified ? Firoj Khanhttps://www.blogger.com/profile/00314639882710090651noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-335027365969597212017-07-10T15:59:34.504+02:002017-07-10T15:59:34.504+02:00Hi Firoj,
the VPN issue could be the WAC network a...Hi Firoj,<br />the VPN issue could be the WAC network access.<br />please explore also:<br />Deployment of the internal certificates (root CA) and or if an internal Proxy is used. Proxies are causing issues.<br />Please let me know if it helped<br />Thomas Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-43122712806232689932017-07-10T15:08:17.235+02:002017-07-10T15:08:17.235+02:00Hi Thomas,
in my case WAC is working fine if both...Hi Thomas, <br />in my case WAC is working fine if both users connected to external network , <br />it does not works when both users are on internal lan/vpn or one is on office lan and another is on external. <br />i can download the XML , checked all required ports. <br />its a strange one. Firoj Khanhttps://www.blogger.com/profile/00314639882710090651noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-11223852109641270812017-02-27T09:38:24.775+01:002017-02-27T09:38:24.775+01:00mostly there are two areas you should look in, fir...mostly there are two areas you should look in, firewall or a proxy server. I would instantly bet on the proxy server. Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-29896757154382878522017-02-27T00:37:24.945+01:002017-02-27T00:37:24.945+01:00when i trying to browse wac URL on client machine ...when i trying to browse wac URL on client machine it cannot be browsed from one machine but can be browsed from another machine in another site.<br />note there is one owa server in the environment.<br />what to do please ??Anonymoushttps://www.blogger.com/profile/12539692852000686920noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-70884441716924307052016-07-04T08:59:21.060+02:002016-07-04T08:59:21.060+02:00SHA 512 might be chosen, check this. So the workar...SHA 512 might be chosen, check this. So the workaround would be to create certificates based on SHA 384 or SHA 256Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-10351380226550184012016-07-04T08:57:26.973+02:002016-07-04T08:57:26.973+02:00HI just two advices, first never use a single IP, ...HI just two advices, first never use a single IP, due to blocking on opposite firewalls, mostly you use 444 port wich is never opened at any corporate firewall, with cause trouble with CCCP.<br />your issue seem a problem with the certificate you are using, leading into a problem with TLS negotiation. <br />The error 36888 is false positiv http://support.microsoft.com/kb/260729<br /> and can be ignored. So you keep with your second error only and here it a problem as said with the certificate itself. Mostly I guess the usage is wrong in your certificate.<br />Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-82765890000514650992016-07-03T12:06:45.806+02:002016-07-03T12:06:45.806+02:00Await to hear from you Thomas!Await to hear from you Thomas!guruspatilhttps://www.blogger.com/profile/13317260244355422698noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-9557879380379943702016-06-19T05:31:17.966+02:002016-06-19T05:31:17.966+02:00Hi Thomas. We are still living with the problem. W...Hi Thomas. We are still living with the problem. Whenever an external users shares presentation (desktop), immediately two events are generated in Edge (we have single edge with one public IP)<br />Event ID 36888 & 36874<br /><br />Please help me<br /><br />Error ID 36888: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.<br />Error ID 36874: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed<br /><br />guruspatilhttps://www.blogger.com/profile/13317260244355422698noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-76683092405333860742016-05-04T15:24:15.477+02:002016-05-04T15:24:15.477+02:00Acually not.
The 8057 is conferencing, but the WAC...Acually not.<br />The 8057 is conferencing, but the WAC URL is distributed to the client and connects directly. So if its not working, the URL isn't published correctly or the WAN isn't workingThomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-53237934613673728122016-04-05T10:38:57.092+02:002016-04-05T10:38:57.092+02:00Hi Thomas. Thanks for the response. Reverse proxy ...Hi Thomas. Thanks for the response. Reverse proxy looks fine, we are using Kemp Loadmaster.<br />One more strange thing is; netstat -n | find "8057" doesn't give any results i two FE (We have one pool with 3 FE). FE1 gives desired results. FE2 FE3 returns blank. We also get the error ID 41026 in FE2 FE3.<br />Is that the reason why we are not able to share the PPT, Poll, Wallboard? Kindly help.guruspatilhttps://www.blogger.com/profile/13317260244355422698noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-5564841236019692502016-04-02T15:39:04.328+02:002016-04-02T15:39:04.328+02:00Hi guruspatil,
well it seems you have an issue wit...Hi guruspatil,<br />well it seems you have an issue with the reverse proxy. if it is working internally between users, you have mostly no need investigating on the WAC/OWA. Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-87042783273357839282016-04-01T09:03:10.948+02:002016-04-01T09:03:10.948+02:00Hi Thomas. We have problem sharing the ppt from in...Hi Thomas. We have problem sharing the ppt from internal to external users & vice versa. We have OWA Server 2013 SP1, running on WS2012 Server. InternalURL & ExternalURL are same.<br />Hosting/discovery gives desired xml output both from internal and external networks. Certificate is from Digicert and the External URL is in the SAN.<br />When an user tries to share PPT, gets an error "we can't connect to servers for presenting right now"<br />The UCCApi logs in the external machines doesn't have the OWA ExternalURL mentioned. Does that mean it does not know where is WAC server?<br />We also ping'ed all servers internally and everything is fine, sharing ppt, wallboard, poll works fine between two internal users.<br />Kindly help us resolve thisguruspatilhttps://www.blogger.com/profile/13317260244355422698noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-16564712112429099002015-09-11T11:43:31.311+02:002015-09-11T11:43:31.311+02:00Hi Salvador, install the debug tools on WAC and tr...Hi Salvador, install the debug tools on WAC and trace the messages will not work. You need to know where the conference frontend pool server is. there you can find the SIP messages.<br />hope this helps you troubleshooting<br />Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-74909944811641926942015-09-05T03:45:09.483+02:002015-09-05T03:45:09.483+02:00How did you debug WAC with Snooper?How did you debug WAC with Snooper?Ssilva521https://www.blogger.com/profile/11019144096247107104noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-70852966850569985292015-08-18T14:46:58.492+02:002015-08-18T14:46:58.492+02:00you are right, you must have a dedicated name (SAN...you are right, you must have a dedicated name (SAN in your case) addressing the OWA server and buy a new, or add an additional entry to it.Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-78090302889425101662015-08-14T00:05:52.716+02:002015-08-14T00:05:52.716+02:00My internal and external URL for owa are HTTPS://o...My internal and external URL for owa are HTTPS://owa.infotechram.com. I have not configured external SAN CERTIFICATE yet. The SAN I have for Exchange 2013 are mail.infotechram.com, autodiscover.infotechram.com and .infotechram.com. If I understand correctly I will need a new SAN cert or get the old SAN CERT modified to include owa.infotechram.com. let me know if I have understood the logic. Thanks RAMRamhttps://www.blogger.com/profile/16210480164275059845noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-31349905995348894122015-08-12T12:42:00.593+02:002015-08-12T12:42:00.593+02:00Hi Ram,
the OWA (Office Web App) Server needs to b...Hi Ram,<br />the OWA (Office Web App) Server needs to be published (either single or in Farm) with its own FQDN. Therefore you cannot use a format like https://mail.infotechram.com/owa or any other vDir. Next the OWA has to be know by Skype for Business, Lync or Exchange as Trusted System. <br />The OWA Server can, but must not have a extern real FQDN, you can still set it with the externFQDN parameter, matching your external Certificate/ CN/SAN, so a SAN certificate can be used with a dedicated listener on the Reverse Proxy.<br />Hope this helpsThomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-71671128447259455332015-08-08T13:58:43.704+02:002015-08-08T13:58:43.704+02:00I would like to use PUBLIC certificate. Not sure ...I would like to use PUBLIC certificate. Not sure how to do. <br /><br />Currently internal clients are able to open excel word pp attchment from owa. I would like them to use it from outside as well which is not working. I have one SAN certificate that, I purchased for Exchange (mail.infotechram.com). Can, I use this for Office web app server or do, I need to purchase another SAN certificate for office web app sever.<br /><br />Here is my lab setup:<br />DC - Server 2012 R2<br />EX -2013 SP1 (with DAG - Ex1 and Ex2)<br />Office Web App - Server 2012 R2<br />Skype for Business - Server 2012 R2<br /><br />I have completed integrating Exchange 2013 and Skype for Business 2015 with Office Web App Server.<br /><br />Appreciate your help.<br /><br />RamRamhttps://www.blogger.com/profile/16210480164275059845noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-13956299825086858502014-11-21T23:21:44.153+01:002014-11-21T23:21:44.153+01:00Thank you Thomas, that cleared up my concerns. I&...Thank you Thomas, that cleared up my concerns. I'm adding an additional SAN to the public certificate used on the reverse proxy, and create the listener for it with this one.emanuelghttps://www.blogger.com/profile/08761275109633588447noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-87616738064847119582014-11-21T21:37:22.545+01:002014-11-21T21:37:22.545+01:00Hi Emanuel,
internally you need a certificate with...Hi Emanuel,<br />internally you need a certificate with the CN/SN and SAN for the WAC FQDN and the NETBIOS name (depends on how you address the WAC server)<br />The WAC Server will be published via the Reverse Proxy.<br />And here you must have a public certificate if you use the WAC also for non domain clients.<br />What does this mean:<br />If you decided saving costs and the WAC is only used by clients (e.g. domain members) with have the Trusted Root CA certificate, you could publish it also with a private certificate.<br />Summary:<br />if non domain and public client access the WAC you must have a public certificate<br />if you have client having the internal Root CA certificate trusted, you can use the private certificate.<br /><br />hope this explains all scenarios.<br />Have a nice weekend<br />ThomasThomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-15012849806122160962014-11-21T20:22:37.249+01:002014-11-21T20:22:37.249+01:00I'm planning to publish WAC externally, but I&...I'm planning to publish WAC externally, but I'm wondering if the internally issued cert will be valid, or do I need to replace the current certificate with one from a PublicCA?emanuelghttps://www.blogger.com/profile/08761275109633588447noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-11529170243565968022014-04-28T13:55:53.210+02:002014-04-28T13:55:53.210+02:00http://blogs.technet.com/b/volume-licensing/archiv...http://blogs.technet.com/b/volume-licensing/archive/2013/05/22/how-to-license-office-web-apps-server.aspx<br /><br />Hot to license WAC Server.<br />btw, editing in this case requires a valide Office 2013 Client/device license.<br /><br />That also means, the WAC Server is always free of chargeThomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-76289419358653997522014-04-28T13:48:30.693+02:002014-04-28T13:48:30.693+02:00Just for your Information:
Please apply the CU for...Just for your Information:<br />Please apply the CU for WAC: http://support.microsoft.com/kb/2837634/en-us<br />Issue that this update fixes:<br />Assume that you have Internet Explorer 11 installed. When you try to share a presentation in a Microsoft Lync meeting in Lync 2013, the share attempt Fails.Thomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.comtag:blogger.com,1999:blog-2319482230418374994.post-26629970613273360892014-01-07T16:57:57.893+01:002014-01-07T16:57:57.893+01:00Hi Mark,
this is related to the SSL Secruity check...Hi Mark,<br />this is related to the SSL Secruity checks. if Lync or other Office Server get aware about the internal FQDN, they will us this and check from the client side the Certificate SAN names, if it's matching, it process the request. If you now publish the external URL, also to the internet and the external request is routed to the WAC, the same process applies . So the external clilents are able to process the request due to matching FQDNs.<br />If you run an AD related DNS Domain internally, (DNS Split Domain Concept), the same applies too.<br /><br />hope this helps<br />ThomasThomas Poetthttps://www.blogger.com/profile/13568662308788859113noreply@blogger.com