Deploy Office Web Apps Server 2013 and external publishing
Office Web Apps Server 2013 is the central component presenting and editing Microsoft Office document with Web services. The Web Apps Server is shared with Lync, Exchange and SharePoint.
Version 1.5: 17.12.2014Web Apps can be installed as standalone system or in a web cluster (Load Balanced).
Prerequisites:
Microsoft Office Web Apps Server was downloadable from the Download Portal. But since 24.Nov.2014 it is from now on only downloadable via the Volume Licensing Portal and MSDN Subscription. For easy deployment, make sure you download it including Service Pack 1.
(Reference: http://blogs.technet.com/b/office_sustained_engineering/archive/2014/10/22/web-apps-server-removal-from-download-center.aspx)
While it downloads, we can configure the other prerequisites.
Windows Server 2008 R2
If you’re using Windows Server 2008R2, please download Microsoft’s .Net Framework 4.5, download Windows Management Framework 3.0, and download KB2592525, which will allow you to run the applications in a Server 2008R2 environment. Additionally apply KB2670838.
Install all of the above, Then, run this using an elevated PowerShell:
Import-Module ServerManager
Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support
Note:
If Windows Server 2008 R2 reports: KB2592525 is not applicable for your computer, you need to remove the conflicting Update: KB2670838
Second Option is here: TechNet
Windows Server 2012 and Windows Server 2012 R2
you’re using Windows Server 2012, it’s even easier; Just run the following from an elevated PowerShell (Server 2012 imports the relevant PS modules automatically, so you don’t have to use the “Import-Module” command) :
Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices
Restart the server if you’re prompted to do so.
Install the Microsoft Office Web Apps Server:
- install WAC Server
install SP1
http://support.microsoft.com/kb/2817431/en-us (old corrupted version of SP1)
http://support.microsoft.com/kb/2880558/en-us (new release SP1, April 2014) - install Language Packs
- Apply CU WAC Server (part of Office Update (JUNE 2014)
http://support.microsoft.com/kb/2970262/en-us
WARNING:
If you have installed and configured OWA before and have setup a WebFarm,
follow this artice if you apply an OWA update:
http://technet.microsoft.com/en-us/library/jj966220.aspx
Certificate Requirements:
WAC Server
|
Konfiguration
|
externalURL
|
|
internalURL
|
|
AllowHTTP
|
FALSE
|
SSLOffloading [1]
|
FALSE
|
CertificateName
|
OfficeWebApp
|
WAC Server Sertificate
|
Konfiguration
|
Common Name
|
server.internalDomain.intern
|
SAN
|
server.internalDomain.intern
|
SAN
|
webapp.extDomain.de
|
SAN [2]
|
server
|
[1] TRUE, if HLB for SSL Offloading is used
[2] if the WAC Server is deployed without an extenalURL, the NetBIOS name might appear!
Now start configuring the WAC server:
New-OfficeWebAppsFarm -InternalUrl "https://internalFQDN" -ExternalUrl "https://externalFQDN" -CertificateName "OfficeWebApp" -EditingEnabled
in Lync you need only the internal Discovery URL:
https://internalFQDN/hosting/discovery
Lync 2013 Server will identify the internal and external URL configured with the WAC Server.
Now we need a verification, that Lync 2013 Frontend has the correct setting.
Filter the Lync FE EventLog for all WAC related events: 41032 and 41034
You will find an entry similar like this:
- System
- Provider
[ Name] LS Data MCU
- EventID 41032
[ Qualifiers] 17402
Level 4
Task 1018
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2013-09-04T11:33:32.000000000Z
EventRecordID 5473
Channel Lync Server
Computer WACinternal.domain.intern
Security
- EventData
SNOOPER TRACING with PowerPoint in WAC:
09/04/2013|14:55:10.399 558:61C INFO ::
SERVICE sip:thomas.poett@acp-test.de SIP/2.0
Via: SIP/2.0/TLS 192.168.1.105:52102
Max-Forwards: 70
From: <sip:thomas.poett@acp-test.de>;tag=1216ee8c42;epid=fe5337abb5
To: <sip:thomas.poett@acp-test.de>
Call-ID: c858fcb8e8dd4390b20bd3957050e6d8
CSeq: 1 SERVICE
Contact: <sip:thomas.poett@acp-test.de;opaque=user:epid:qxOEj3bU1VaO18cHg7Lu4wAA;gruu>
User-Agent: UCCAPI/15.0.4517.1004 OC/15.0.4517.1004 (Microsoft Lync)
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="0A6C31A1", targetname="SVIELYNC.acp.local", crand="f0cb3d02", cnum="276", response="1ccdd5bb003db213989aeda53ed2f12c6e7d97ce"
Content-Type: application/msrtc-reporterror+xml
Content-Length: 1177
<reportError xmlns="http://schemas.microsoft.com/2006/09/sip/error-reporting"><error toUri="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:focus:id:TYQF4ZHC" callId="3a63424bce4f4542a1878cf29782fd35" fromTag="6eec3407d5" toTag="23480080" requestType="" contentType="" responseCode="0"><diagHeader>54025;reason="A viewing URL navigation was attempted.";ClientType=Lync;Build=15.0.4517.1004;ContentMCU="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:data-conf:id:TYQF4ZHC";ConferenceUri="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:focus:id:TYQF4ZHC";LocalFqdn="KOL-SRVPOETT.acp.local";Url="https://webapp.testdomain.de/m/ParticipantFrame.aspx?a=0&e=true&WopiSrc=https%3A%2F%2Fmgacsap40.testdomain.intern%2FDataCollabWeb%2Fwopi%2Ffiles%2F5-1-2EB85D8&access_token=AAMFEHCysGizzW9ZqKYwzMlxwFQGEM34svWrZyP-zsPbJWGjNzKBEHCysGizzW9ZqKYwzMlxwFSCAtO2gyAQW9O14tatIkg7-CY3o087igqpE1IlNxyRe8SIPyn0bYYI1bAhMch30AgIDURhdGFDb2xsYWJXZWI&<fs=FULLSCREEN&><rec=RECORDING&><thm=THEME_ID&><ui=UI_LLCC&><rs=DC_LLCC&><na=DISABLE_ASYNC&>"</diagHeader><progressReports/></error></reportError>SERVICE sip:thomas.poett@acp-test.de SIP/2.0
Via: SIP/2.0/TLS 192.168.1.105:52102
Max-Forwards: 70
From: <sip:thomas.poett@acp-test.de>;tag=1216ee8c42;epid=fe5337abb5
To: <sip:thomas.poett@acp-test.de>
Call-ID: c858fcb8e8dd4390b20bd3957050e6d8
CSeq: 1 SERVICE
Contact: <sip:thomas.poett@acp-test.de;opaque=user:epid:qxOEj3bU1VaO18cHg7Lu4wAA;gruu>
User-Agent: UCCAPI/15.0.4517.1004 OC/15.0.4517.1004 (Microsoft Lync)
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="0A6C31A1", targetname="SVIELYNC.acp.local", crand="f0cb3d02", cnum="276", response="1ccdd5bb003db213989aeda53ed2f12c6e7d97ce"
Content-Type: application/msrtc-reporterror+xml
Content-Length: 1177
Troubleshooting:
Attempted Office Web Apps Server discovery Url: https://webapps.extDomain.de/hosting/discovery/
Received error message: The remote certificate is invalid according to the validation procedure.The number of retries: 13327, since 2/27/2013 9:07:42 PM.
or
Lync 2013 PowerPoint sharing issue: “There was a problem verifying the certificate from the server. Please contact your support team.”
CERTUTIL –URLFETCH –VERIFY “OfficeWebApp.cer”
Use this command to verify if the CDP for CRL checkup is correct. This verifies the HTTP connection.
NOTE: IIS Error 500.21
For Windows Server 2008 R2%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru
iisreset /restart /noforce
For Windows Server 2012
dism /online /enable-feature /featurename:IIS-ASPNET45
Author: Thomas Pött Managing Consultant Microsoft UC
Is there any way to monitor WAC to see who is actively using it?
ReplyDeleteHi John,
ReplyDeletewell monitoring is possible with WAS/ WAC.
Microsoft automatically provide several performance counter during the server installation.
You can e.g. monitor them with SC Operation Manager and define the threshold's.
Does the OWA url needs to be published external on TMG for example?
ReplyDeleteSo do clients communicate with the OWA ?
Hi Rommel,
ReplyDeleteif you require external Web Conferencing Content, you must publish WAC/WAS Server.
This has nothing to Do with Outlook Web App (OWA).
This are two completely different aspects.
If you indeed mean, you want WAS enabled in OWA, than this is also valid, you must publish WAS.
Thomas
Thanks for the write up, Thomas. As far as the certificate is concerned, if using split DNS, can we get away with using one that only has the external name on it? We have an internal domain, which is .local, but after November 2015 certificates can't have the internal FQDN of the server on it. This would be similar to using a UC cert for Exchange that only has the external names for OWA, EWS, etc, and has the internal URLs reconfigured appropriately. I ask because I am integrating with Lync 2013, and I thought I read that you have to have the internal FQDN of the server on it.
ReplyDeleteWell Jason, you can do so. having the external name only. You need to care about the intern/ extern URL settings, similar as exchange.
Deletecan you not publish the external url both internally and externally but setting an external DNS in AD?
ReplyDeleteHi Mark,
Deletethis is related to the SSL Secruity checks. if Lync or other Office Server get aware about the internal FQDN, they will us this and check from the client side the Certificate SAN names, if it's matching, it process the request. If you now publish the external URL, also to the internet and the external request is routed to the WAC, the same process applies . So the external clilents are able to process the request due to matching FQDNs.
If you run an AD related DNS Domain internally, (DNS Split Domain Concept), the same applies too.
hope this helps
Thomas
Just for your Information:
ReplyDeletePlease apply the CU for WAC: http://support.microsoft.com/kb/2837634/en-us
Issue that this update fixes:
Assume that you have Internet Explorer 11 installed. When you try to share a presentation in a Microsoft Lync meeting in Lync 2013, the share attempt Fails.
http://blogs.technet.com/b/volume-licensing/archive/2013/05/22/how-to-license-office-web-apps-server.aspx
ReplyDeleteHot to license WAC Server.
btw, editing in this case requires a valide Office 2013 Client/device license.
That also means, the WAC Server is always free of charge
I'm planning to publish WAC externally, but I'm wondering if the internally issued cert will be valid, or do I need to replace the current certificate with one from a PublicCA?
ReplyDeleteHi Emanuel,
Deleteinternally you need a certificate with the CN/SN and SAN for the WAC FQDN and the NETBIOS name (depends on how you address the WAC server)
The WAC Server will be published via the Reverse Proxy.
And here you must have a public certificate if you use the WAC also for non domain clients.
What does this mean:
If you decided saving costs and the WAC is only used by clients (e.g. domain members) with have the Trusted Root CA certificate, you could publish it also with a private certificate.
Summary:
if non domain and public client access the WAC you must have a public certificate
if you have client having the internal Root CA certificate trusted, you can use the private certificate.
hope this explains all scenarios.
Have a nice weekend
Thomas
Thank you Thomas, that cleared up my concerns. I'm adding an additional SAN to the public certificate used on the reverse proxy, and create the listener for it with this one.
ReplyDeleteI would like to use PUBLIC certificate. Not sure how to do.
ReplyDeleteCurrently internal clients are able to open excel word pp attchment from owa. I would like them to use it from outside as well which is not working. I have one SAN certificate that, I purchased for Exchange (mail.infotechram.com). Can, I use this for Office web app server or do, I need to purchase another SAN certificate for office web app sever.
Here is my lab setup:
DC - Server 2012 R2
EX -2013 SP1 (with DAG - Ex1 and Ex2)
Office Web App - Server 2012 R2
Skype for Business - Server 2012 R2
I have completed integrating Exchange 2013 and Skype for Business 2015 with Office Web App Server.
Appreciate your help.
Ram
Hi Ram,
Deletethe OWA (Office Web App) Server needs to be published (either single or in Farm) with its own FQDN. Therefore you cannot use a format like https://mail.infotechram.com/owa or any other vDir. Next the OWA has to be know by Skype for Business, Lync or Exchange as Trusted System.
The OWA Server can, but must not have a extern real FQDN, you can still set it with the externFQDN parameter, matching your external Certificate/ CN/SAN, so a SAN certificate can be used with a dedicated listener on the Reverse Proxy.
Hope this helps
My internal and external URL for owa are HTTPS://owa.infotechram.com. I have not configured external SAN CERTIFICATE yet. The SAN I have for Exchange 2013 are mail.infotechram.com, autodiscover.infotechram.com and .infotechram.com. If I understand correctly I will need a new SAN cert or get the old SAN CERT modified to include owa.infotechram.com. let me know if I have understood the logic. Thanks RAM
ReplyDeleteyou are right, you must have a dedicated name (SAN in your case) addressing the OWA server and buy a new, or add an additional entry to it.
DeleteHow did you debug WAC with Snooper?
ReplyDeleteHi Salvador, install the debug tools on WAC and trace the messages will not work. You need to know where the conference frontend pool server is. there you can find the SIP messages.
Deletehope this helps you troubleshooting
Hi Thomas. We have problem sharing the ppt from internal to external users & vice versa. We have OWA Server 2013 SP1, running on WS2012 Server. InternalURL & ExternalURL are same.
DeleteHosting/discovery gives desired xml output both from internal and external networks. Certificate is from Digicert and the External URL is in the SAN.
When an user tries to share PPT, gets an error "we can't connect to servers for presenting right now"
The UCCApi logs in the external machines doesn't have the OWA ExternalURL mentioned. Does that mean it does not know where is WAC server?
We also ping'ed all servers internally and everything is fine, sharing ppt, wallboard, poll works fine between two internal users.
Kindly help us resolve this
Hi guruspatil,
Deletewell it seems you have an issue with the reverse proxy. if it is working internally between users, you have mostly no need investigating on the WAC/OWA.
Hi Thomas. Thanks for the response. Reverse proxy looks fine, we are using Kemp Loadmaster.
ReplyDeleteOne more strange thing is; netstat -n | find "8057" doesn't give any results i two FE (We have one pool with 3 FE). FE1 gives desired results. FE2 FE3 returns blank. We also get the error ID 41026 in FE2 FE3.
Is that the reason why we are not able to share the PPT, Poll, Wallboard? Kindly help.
Acually not.
DeleteThe 8057 is conferencing, but the WAC URL is distributed to the client and connects directly. So if its not working, the URL isn't published correctly or the WAN isn't working
Hi Thomas. We are still living with the problem. Whenever an external users shares presentation (desktop), immediately two events are generated in Edge (we have single edge with one public IP)
ReplyDeleteEvent ID 36888 & 36874
Please help me
Error ID 36888: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Error ID 36874: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed
Await to hear from you Thomas!
DeleteHI just two advices, first never use a single IP, due to blocking on opposite firewalls, mostly you use 444 port wich is never opened at any corporate firewall, with cause trouble with CCCP.
Deleteyour issue seem a problem with the certificate you are using, leading into a problem with TLS negotiation.
The error 36888 is false positiv http://support.microsoft.com/kb/260729
and can be ignored. So you keep with your second error only and here it a problem as said with the certificate itself. Mostly I guess the usage is wrong in your certificate.
SHA 512 might be chosen, check this. So the workaround would be to create certificates based on SHA 384 or SHA 256
Deletewhen i trying to browse wac URL on client machine it cannot be browsed from one machine but can be browsed from another machine in another site.
ReplyDeletenote there is one owa server in the environment.
what to do please ??
mostly there are two areas you should look in, firewall or a proxy server. I would instantly bet on the proxy server.
DeleteHi Thomas,
ReplyDeletein my case WAC is working fine if both users connected to external network ,
it does not works when both users are on internal lan/vpn or one is on office lan and another is on external.
i can download the XML , checked all required ports.
its a strange one.
Hi Firoj,
Deletethe VPN issue could be the WAC network access.
please explore also:
Deployment of the internal certificates (root CA) and or if an internal Proxy is used. Proxies are causing issues.
Please let me know if it helped
Thomas
Hi Thomas,
Deletethanks for reply, automatic proxy is getting used and all internal traffic is default allowed. for certificate we followed as below described and WAC internal and external URL are same with https.
FQDN: OwaExtWeb.
Certificate SN: OwaExtWeb.
Certificate SAN: wacsrv1.
Certificate SAN: wacsrv2.
EKU: server
Root certificate: private CA
no events are generating now (41032,41034), though i can genrate XML file (local, LAN, internet) but unable to test https://fqdn.op/generate on local server (error "Wrong File Type")
is there a way if we could add static rout for servers and this can be verified ?