www.mvatcybernet.com
DEPLOY A SINGLE-SERVER
OFFICE WEB APPS SERVER FARM
THAT USES HTTPS
Introduced in Lync Server 2013 is the requirement of Office Web Apps Server to support the use of PowerPoint Presentations in Lync Online Meetings.
Office Web Apps Server Farm will provide Office Web Apps
www.mvatcybernet.com
REQUIREMENTS AND PREREQUISITES
Office Web Apps cannot be collocated on any Lync Server, use dedicated Server with fresh installation of Windows 2008 R2 SP1, Windows 2012 or Windows 2012 R2.WINDOWS 2008 R2 SERVER NEEDS THE FOLLOWING SOFTWARE COMPONENTS:
.NET Framework 4.5
Windows Management Framework 3.0
KB2592525
WINDOWS 2008 R2 SERVER NEEDS THE
FOLLOWING COMPONENTS:
Import-Module ServerManager Add-WindowsFeature Web-Server,Web-WebServer,Web-Common- Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web- Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web- Includes,Web-Security,Web-Windows-Auth,Web- Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-SupportWINDOWS 2012 AND WINDOWS 2012 R2
SERVERS NEED THE FOLLOWING
Compression,Web-Dyn-Compression,Web-Security,Web-www.mvatcybernet.com
Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net- Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-
Includes,InkandHandwritingServices,Framework-Features, Framework-Core, HTTP-Activation, NET-Non-HTTP-Activ, NET-WCF-HTTP-Activation45
INSTALLATION OF OFFICE WEB APPS
SERVER
Download the following files:
Microsoft Office Web Apps Server 2013 (Install First)
Update for Microsoft Office Web Apps Server 2013 (KB2837634) (Install Second)
www.mvatcybernet.com
For production environments, is strongly recommend the use of HTTPS
www.mvatcybernet.com
THE FOLLOWING IS DESCRIPTION AND
REQUIREMENTS FOR CERTIFICATE:
CERTIFICATES USED BY OFFICE WEB APPS SERVER NEED
TO MEET THE FOLLOWING REQUIREMENTS:
The Certificate must come from a trusted Certificate Authority and include the Fully Qualified Domain Name (FQDN) of the Office Web Apps Server Farm in the SAN (Subject Alternative Name) field.(If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the request.)
The Certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate.
The Friendly Name Field MUST be unique within the Trusted Root Certificate Authorities Store. If there are multiple Certificates that share a Friendly Name Field, FARM CREATION WILL FAILbecause the New-OfficeWebAppsFarm cmdlet will not know which of those Certificates to use.
The FQDN in the SAN field cannot begin with an asterisk (*).
Office Web Apps Server DOES NOT REQUIRE ANY SPECIAL CERTIFICATE PROPERTIES OR EXTENSIONS.EXAMPLE:
www.mvatcybernet.com
THE CERTIFICATE MUST BE IMPORTED AS FOLLOWS:
FOR
SINGLE-SERVER FARMS
The Certificate MUST be imported directly on the Server that runs Office Web Apps Server.
Do not bind the Certificate manually. The command “ New-OfficeWebAppsFarm cmdlet” will do the proper import.
IF YOU BIND THE CERTIFICATE MANUALLY, IT WILL BE DELETED EVERY TIME THE SERVER RESTARTS.
FOR
LOAD-BALANCED FARMS
If you are offloading SSL, the certificate must be imported on the hardware load balancer.
If you’re not offloading SSL, you’ll need to install the certificate on each server in the Office Web Apps Server farm.
NOTE:
DO NOT USE SELF-SIGNED CERTIFICATES EXCEPT IN NON-CRITICAL
TEST ENVIRONMENTS.
USING SSL OFFLOADING FOR HARDWARE LOAD BALANCERS
When you set up a new Office Web Apps Server farm, SSL offloading is set to OFF by default. If you are using a hardware load balancer, we
www.mvatcybernet.com
SIMPLIFIED CERTIFICATES MANAGEMENT
IMPROVED SOFT AFFINITY
IMPROVED PERFORMANCENote that when you use HTTP, traffic from the Load Balancer to the Servers that run Office Web Apps Server is not encrypted, so
you need to make sure the network itself is secure. Use of a Private Subnet can help protect traffic.
RESTRICT WHICH SERVERS CAN JOIN AN OFFICE WEB
APPS SERVER FARM BASED ON OU MEMBERSHIP
You can prevent unauthorized servers from joining an Office Web Apps Server farm by creating an organizational unit for those servers and then specifying the FarmOU parameter when you create the farm.
For more information about the FarmOU parameter, see New-OfficeWebAppsFarm.
LIMIT HOST ACCESS FOR OFFICE WEB
APPS SERVER BY USING THE ALLOW LIST
The Allow List is a security feature that prevents unwanted hosts from connecting to an Office Web Apps Server farm and using it for file
operations without your consent. By adding the domains that contain approved hosts to the Allow List, you can limit the hosts to which Office Web Apps Server allows file operations requests, such as file retrieval, metadata retrieval, and file changes.
www.mvatcybernet.com
HERE IS THE PROCEDURE:
NEW-OFFICEWEBAPPSHOST
APPLIES TO: OFFICE WEB APPS SERVERAdds a host domain to the Allow List for an Office Web Apps Server farm.
New-OfficeWebAppsHost -Domain <String>
PARAMETERS
PARAMETER REQUIRED TYPE DESCRIPTION
Domain Required System.String Specifies the domain to add to the Allow List. Do not specify an asterisk or start it with a period.
DETAILED DESCRIPTION
The New-OfficeWebAppsHost cmdlet adds a host Domain to the list of host Domains to which Office Web Apps Server allows file operations requests, such as file retrieval, metadata retrieval, and file changes. This list, known as the Allow List, is a security feature that prevents unwanted hosts from connecting to an Office Web Apps Server farm and using it for file operations without your knowledge.
The wildcard * is assumed for any Domain that is added to the Allow List so that requests to all Subdomains are also allowed.
www.mvatcybernet.com CAUTION:
If there are no Domains on the Allow List, Office Web Apps Server allows file requests to hosts in any Domain. Do not leave this list blank if your Office Web Apps Server farm is accessible from the
Internet. Otherwise, anyone can use your Office Web Apps Server farm to view and edit content.
EXAMPLE
---EXAMPLE 1
---New-OfficeWebAppsHost –domain “contoso.com”
This example adds the domain contoso.com to the Allow List.
NOTE:
You cannot add multiple host domains to the Allow List all at the same time. You must run the New-OfficeWebAppsHost cmdlet for each host domain that you want to add to the Allow List.
IMPORTANT:
www.mvatcybernet.com
SECURING OFFICE WEB APPS SERVER
COMMUNICATIONS BY USING HTTPS
THE 3 STEPS TO DEPLOY OFFICE WEB
APPS SERVER ARE:
STEP 1: CREATE THE OFFICE WEB APPS
SERVER FARM
www.mvatcybernet.com
EXAMPLE1: Command configuring Internal & External URL New-OfficeWebAppsFarm -InternalUrl
"https://owa.contoso.com" -ExternalUrl "https://
owa.contoso.com" -CertificateName " owa.contoso.com" – EditingEnabled
EXAMPLE2: Command configuring Internal URL New-OfficeWebAppsFarm -InternalUrl
https://owa.contoso.com -CertificateName "owa.contoso.com" –EditingEnabled
If command completes successfully the following output is displayed:
Setting EditingEnabled to TRUE. You should only do this if users of this Office Web Apps Server have licenses that permit editing using Office Web Apps.
Continue with this operation?
www.mvatcybernet.com
Machines : {OWA}
PARAMETERS
–InternalURL is the Fully Qualified Domain Name (FQDN) of the Server that runs Office Web Apps Server, such ashttp://servername.contoso.com.
–ExternalURL is the FQDN that can be accessed on the Internet.
–CertificateName is the Friendly Name of the Certificate.
–EditingEnabled is optional and enables editing in Office Web Apps when used with SharePoint 2013. This parameter isn't used by Lync Server 2013 or Exchange Server 2013 because those hosts don't support editing.Additional parameters that configure translation services, proxy servers, ClipArt support, and Online Viewers are described in
New-OfficeWebAppsFarm.
www.mvatcybernet.com
STEP 2: VERIFY THAT THE OFFICE WEB
APPS SERVER FARM WAS CREATED
SUCCESSFULLY
After the farm is created, details about the farm are displayed in the Windows PowerShell prompt. To verify that Office Web Apps Server is installed and configured correctly, use a web browser to access the Office Web Apps Server discovery URL, as shown in the following example. The discovery URL is the InternalUrl parameter you specified when you
configured your Office Web Apps Server farm, followed by
/hosting/discovery, for example:
https://server.contoso.com/hosting/discovery
www.mvatcybernet.com
urlsrc="https://wac.contoso.com/x/_layouts/xlviewerinte rnal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>"
default="true" ext="ods"/><action name="view"
urlsrc="https://wac.contoso.com/x/_layouts/xlviewerinte rnal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>"
default="true" ext="xls"/><action name="view"
NOTE:
Depending on the security settings of your web browser, you might see a message that prompts you to select Show all content before the
contents of the discovery XML file are displayed.
STEP 3: CONFIGURE THE HOST
www.mvatcybernet.com
CONFIGURING INTEGRATION WITH
OFFICE WEB APPS SERVER AND LYNC
SERVER 2013
LYNC SERVER 2013
Lync Server 2013 employs Office Web Apps Server to handle PowerPoint presentations. For information about the advantages to this approach, see
Web Conferencing Overview.
In order to use these new capabilities administrators must install Office Web Apps Server and must configure Lync Server 2013 to communicate with Office Web Apps Server.
CONFIGURING LYNC SERVER 2013 TO
WORK WITH OFFICE WEB APPS SERVER
LYNC SERVER 2013
Before you can configure Lync Server 2013 to use Office Web Apps Server, Office Web Apps Server must be deployed and configured.
After Office Web Apps Server has been successfully installed and your Web farm correctly configured, you must then configure Lync Server 2013 to communicate with the new Server; this is done by adding the Office Web Apps Server discovery URL to your Lync Server topology. To add Office Web Apps Server to your topology, complete the following steps:
1. Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Topology Builder.
2. In the Topology Builder dialog box, select Download Topology from
www.mvatcybernet.com
3. In the Save Topology As dialog box, type a name for your topology document (for example, PreWebAppsServerTopology) in the File name box and then click Save. This topology can later be retrieved and republished if you encounter problems with your new topology.
4. In Topology Builder, expand Lync Server 2013, expand the name of your site, expand Enterprise Edition Front End pools, right-click the name of one of your pools, and then click Edit Properties.
5. In the Edit Properties dialog box, on the General tab, find the heading
Associate Office Web Apps Server and then click New (or select an existing
Office Web Apps Server from the drop-down list).
6. In the Define New Office Web Apps Server dialog box, type the fully
qualified domain name (FQDN) of your Office Web Apps Server computer in the
Office Web Apps Server FQDN box; when you do this, your Office Web Apps
Server discovery URL should automatically be entered into the Office Web
Apps Server discovery URL box.
If the Office Web Apps Server is installed on-premises and in the same network zone as Lync Server 2013 then the option Office Web Apps Server is
deployed in an external network (that is, perimeter/Internet) should not
be selected.
If the Office Web Apps Server is deployed outside your internal firewall, then select the option Office Web Apps Server is deployed in an external
network (that is, perimeter/Internet).
7. In the Define New Office Web Apps Server dialog box, click OK, and then click OK in the Edit Properties dialog box. The Office Web Apps discovery URL will then be listed as one of the pool's Associations.
You will have to repeat this process for each pool that needs to be associated with your Office Web Apps Server.
After you have added the discovery URL to the topology you must then publish this updated topology. To do that in Topology Builder:
1. Click Action and then click Publish Topology.
2. In the Publish Topology wizard, on the Publish the Topology page, click Next.
3. On the Publishing wizard complete page, click Finish.
www.mvatcybernet.com
VALIDATING THE CONFIGURATION OF
OFFICE WEB APPS SERVER
LYNC SERVER 2013
After Office Web Apps Server has been added to the topology, and after that topology has been published, you should see two new event log events in the Lync Server event log. First, an LS Data MCU event (EVENT ID 41032) should be added; this event will report that the Office Web Apps Server has been discovered:
Web Conferencing Server WAC is discovered, PowerPoint content is enabled.
In addition to that you should see another LS Data MCU event (EVENT ID 41032) that reports back Office Web Apps Server URLs. For example, you should see something similar to this:
Web Conferencing Server WAS discovery has succeeded.
WAC internal presenter page: https://atl-officewebapps-001.litwareinc.com/m/Presenter.aspx?a=0&embed= WAC internal attendee page:
https://atl-officewebapps-001.litwareinc.com/m/ParticipantFrame.aspx?a=0&embed=true&= WAC external presenter page:
https://atl-officewebapps-001.litwareinc.com/m/Presenter.aspx?a=0&embed WAC internal attendee page:
https://atl-officewebapps-001.litwareinc.com/m/ParticipantFrame.aspx?a=0&embed=true&
newly-www.mvatcybernet.com
configured Office Web Apps Server. If the discovery process fails
repeatedly you should remove Office Web Apps Server from your topology document, publish the updated topology, and then try adding Office Web Apps Server back to the topology after the connectivity issues have been resolved.
If Office Web Apps Server appears to be configured correctly and has been recognized by the discovery process you can verify that Office Web Apps Server is working as expected by sharing a PowerPoint presentation between a pair of Microsoft Lync 2013 clients.
IF USER A CAN LOAD AND DISPLAY THE POWERPOINT PRESENTATION AND IF USER B CAN THEN JOIN THE MEETING AND SEE THAT
PRESENTATION THEN OFFICE WEB APPS SERVER IS WORKING. EVEN IF OFFICE WEB APPS SERVER APPEARS TO BE CONFIGURED
CORRECTLY, YOU COULD POTENTIALLY RECEIVE THE ERROR MESSAGE “SOME SHARING FEATURES ARE UNAVAILABLE DUE TO SERVER
CONNECTIVITY ISSUES” WHEN YOU TRY SHARING A POWERPOINT PRESENTATION. IF YOU RECEIVE THAT ERROR MESSAGE YOU SHOULD RESTART THE FRONT END SERVER (OR SERVERS) ASSOCIATED WITH THE NEW OFFICE WEB APPS SERVER.
CONFIGURING CLIENTS FOR USE WITH
OFFICE WEB APPS SERVER
LYNC SERVER 2013
If you want users to experience the full capabilities of Office Web App Server then you should upgrade those users to Microsoft Lync 2013; only users of Lync 2013 will be able to do such things as scroll through
www.mvatcybernet.com
without interfering in any way with the actual presentation.) Users who are not using Lync 2013 will still be able to join online conferences and view the PowerPoint presentation; however, they will not be able to
independently scroll through the slides, nor will they be able to see slide transitions or view embedded videos.
Note that these capabilities will always be available to users of Lync 2013; this is true even if the PowerPoint presenter is running Microsoft Lync 2010. If a PowerPoint presentation is being hosted by a user running Lync 2010, Lync Server 2013 will coordinate with Office Web Apps Server to make sure that Lync 2013 users will view the Office Web Apps Server
version of that presentation. Office Web Apps Server does not provide PowerPoint services for users running clients other than Lync 2013.
Instead, those users connect to the Conferencing server service and view PowerPoint presentations the same way they did in Microsoft Lync Server 2010. This also means that these users will only have access to the more-limited capabilities offered by Lync Server 2010.
Although no client configuration is required for Office Web Apps Server (other than upgrading users to Lync 2013), it is recommended that conference attendees be upgrade to Internet Explorer 9. Although conferences can be accessed using Internet Explorer 8, there are some limitations to using that Web browser. For example, users of Internet
