microsoft office web apps server 2013 integration …...microsoft office web apps server 2013...
TRANSCRIPT
Microsoft Office Web Apps Server 2013
Integration with SharePoint 2013 | Setting
up Load Balanced Office Web Apps Farm
with SSL (HTTPS)
December 25 th , 2015 V.1.0
Manoj Karunarathne
Prepared by:
MCT, MCSA, MCSE, CDIA+
http://manojviduranga.wordpress.com
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Contents
1. Introduction .......................................................................................................................................... 2
2. Server Environment .............................................................................................................................. 3
3. Requirements and Recommendations ................................................................................................. 5
4. Deployment........................................................................................................................................... 6
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
1. Introduction
Microsoft Office Web Apps 2013 is now a fully Isolated Far which supports multiple and various Integrations
such as SharePoint, Lync, Skype for Business and other Third Party Applications. basically, your single Web
Apps Farm will serve OWA Capabilities for Multiple applications so that is simple for you to manage and
Integrate.
This Step by Step Guide will show you how to Setup an Office Web Apps 2013 Farm with High Availability
and Security. The Naming and Certificates used in this scenario will be samples for demonstration purpose.
You need to use meaningful names and obtain a valid SSL certificate for your scenario and environment.
This Guide will cover the following requirements.
Multi-Server Farm: Setup Office Web Apps with Microsoft NLB for High availability and Load
balancing
Setup Office Web Apps Farm with Better Security using SSL for HTTPS. It is highly recommended to
use HTTPS for Production Office Web Apps Deployments as HTTP meant only for developmental
and testing environments only.
Before You begin with the Installation and Configurations, it is recommended to go through below
references which may provide you all the basic information and knowledge about Microsoft’s Office Web
Apps Server Product.
Configure Office Web Apps for SharePoint 2013 - https://technet.microsoft.com/en-us/library/ff431687.aspx
Deploy Office Web Apps Server 2013 - https://technet.microsoft.com/en-us/library/jj219455.aspx
Planning Office Web Apps Server - https://technet.microsoft.com/en-us/library/jj219435.aspx
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
2. Server Environment
This Demo Setup will be using:
Two office Web Apps 2013 Servers with Windows NLB Enabled and Configured
SharePoint Server Farm with two WFE Servers and Single APP Server for Intranet Site Hosting with
Host Header Site Collection (This SharePoint Farm is multitenant Environment where a Single Web
Application shall contain multiple Host named Site Collections with unique URL)
Two Database Servers holds Always on Instance for SharePoint Environment.
Active Directory | DNS Server with Active Directory Certificate Service Enabled and Started
Two SQL Server Nodes with Always-on Instance hosts SharePoint Platform
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Specifications of these servers are for Demonstration purpose only. Production Environments are
highly recommended to meet Microsoft’s sizing requirements in order to get optimum performance
and reliability.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
3. Requirements and Recommendations
This guide uses windows NLB for demonstration purpose. In Production Environments, try to use a
Hardware Load balancer which brings following capabilities if you are planning for more than one server
for OWA.
Layer 7 routing
Enabling client affinity or front-end affinity
Enabling SSL offloading
Production Environments are always having firewalls in between different zones. Depends on the zone
you are going to place OWA Servers; you need to open following ports in order to make OWA function
properly.
Port 443 for HTTPS traffic
Port 80 for HTTP traffic
Port 809 for private traffic between the servers that run Office Web Apps Server (if you’re setting
up a multi-server farm)
Topology Planning (Source: https://technet.microsoft.com/en-us/library/jj219435.aspx )
Plan for Server Level Redundancy. If You are using Virtual Machines to Host OWA, segregate them
to separate Host Servers instead of Placing all in a one box (e.g. – OWA1 Hosted in Hardware Box
A, OWA2 Hosted in Hardware Box B) so that if Hardware box A goes down in case, Yet the Box 2
Serves requests as OWA2 still runs there.
Stick to one data center. Servers in an Office Web Apps Server farm must be in the same data
center. Don’t distribute them geographically. Generally, you need only one farm, unless you have
security needs that require an isolated network that has its own Office Web Apps Server farm.
The closer the hosts, the better. The Office Web Apps Server farm doesn’t have to be in the same
data center as the hosts it serves, but for heavy editing usage, we recommend you put the Office
Web Apps Server farm as close to the hosts as possible. This is less important for organizations
that use Office Web Apps primarily for viewing Office files.
Plan your connections. Connect all servers in the Office Web Apps Server farm only to one
another. To connect them to a broader network, do so through a reverse proxy load balancer
firewall.
Configure the firewall for HTTP or HTTPS requests. Make sure the firewall allows servers running
Office Web Apps Server to initiate HTTP or HTTPS requests to hosts.
Plan for incoming and outgoing communications. In an Internet-facing deployment, route all
outgoing communications through a NAT device. In a multi-server farm, handle all incoming
communications with a load balancer.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Make sure all servers in the Office Web Apps Server farm are joined to a domain and are part of the
same organizational unit (OU). Use the FarmOU parameter in the New-OfficeWebAppsFarm
cmdlet to prevent other servers that are not in this OU from joining the farm.
Use Hypertext Transfer Protocol Secure (HTTPS) for all incoming requests.
If you have IPsec deployed in the network, use it to encrypt traffic among the servers.
Plan for Office features that use the Internet. If features such as clip art and translation services
are needed, and the servers in the farm can’t initiate requests to the Internet, you’ll need to
configure a proxy server for the Office Web Apps Server farm. This will allow HTTP requests to
external sites.
Software Requirements for Office Web Apps
Office Web Apps Server/s Must Be Independent from other Applications and Services Such as
SharePoint, Exchange, Lync, Skype4B. Do not try to deploy Office Web Apps on a sever which runs
any of the above Applications and that is not supported.
Don’t Install Any Services or Applications depend on IIS 80, 443 or 809 Ports because OWA
frequently removes web applications on these ports in order to bring up the OWA Web
Applications.
Do Not Install any office Client applications on OWA Servers as it is not recommended to be. If any
office Applications are installed on a server you are about to install OWA, you have to fully uninstall
them prior to the OWA installation.
Do Not Install OWA on a Domain Controller or any Domain Server runs Critical Services such as
DNS or AD DS.
Download the Office Web Apps 2013 with SP1 which is the latest version you can download. Also
look for the recent Cumulative Updates prior r to go live in production scenarios.
4. Deployment
It is Assuming that you already have a SharePoint farm Prepared with an Accessible Site Collection. This
guide will not go through the SharePoint Server Deployment but only the Integration of Office Web Apps
for SharePoint in order to allow your end users to open/edit their Office Documents within the Browser.
Steps:
1. Installing Prerequisites in OWA servers for Office Web apps
2. Creating DNS Host Records
3. Configuring Windows NLB for Load balancing and High Availability
4. Configuring SSL Certificates using Active Directory Certificate Services
5. Installing Office Web Apps
6. Configuring Office Web Apps Farm
7. Joining Member Servers to the Office Web Apps Farm
8. Integrating with SharePoint Farm
9. Testing Functionality
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
1. Installing Office Web Apps Prerequisites
You must have a Domain User account (Such as SharePoint Farm Account) created in order to Install
Office Web Apps.
After Creating your Virtual Machine, Login to the same and Prepare it with necessary Network and
Domain Configurations such as defining IP addresses and joining it to the respective domain.
Then Login in to the server using local administrative credentials and add the User Account created for
Office Web Apps in to the Local Administrators Group.
Run the following Scripts in Windows PowerShell in order to prepare your OWA servers with
Prerequisites. You can define the SXS path to source files if your server doesn’t have the internet
connectivity by simply passing the -Source Parameter (e.g. -Source D:\Sources\sxs)
It might prompt for restarting once finished.
For Windows Server 2008 R2
Install Following Software’s
o Windows Server 2008 R2 Service Pack 1 o .NET Framework 4.5 o Windows PowerShell 3.0 o Platform update for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB2670838)
Right Click on Windows PowerShell and Run it as Administrator. Then run the following
Import-Module ServerManager
Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-
App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-
Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-
Mgmt-Console,Ink-Handwriting,IH-Ink-Support,NET-Framework,NET-Framework-Core,NET-HTTP-
Activation,NET-Non-HTTP-Activ,NET-Win-CFAC
For Windows Server 2012
Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-
Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-
Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-
Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-
Includes,InkandHandwritingServices,NET-Framework-Features,NET-Framework-Core,NET-HTTP-
Activation,NET-Non-HTTP-Activ,NET-WCF-HTTP-Activation45
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
For Windows Server 2012 R2
Install - NET Framework 4.5.2
Then Run the following in PowerShell
Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-
Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-
Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-
Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-
Includes,InkandHandwritingServices,NET-Framework-Features,NET-Framework-Core,NET-HTTP-
Activation,NET-Non-HTTP-Activ,NET-WCF-HTTP-Activation45
2. Creating DNS Host Records
Next to create the HostA Record for NLB Cluster Name (Which will be the ultimate Server Name of
OWA Farm).
Direct to your DNS Server and Simply Create a Host AAA Record points to your Target NLB IP. You
need a dedicated IP V4 address for this.
Open Up the DNS Manager Console in your DNS Server and Right Click on the Respective Zone and hit
New Host (A or AAAA) to create a new Host record.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Provide the Name and IP It points to (which is the desired NLB Cluster IP) and hit Add Host to create.
Record is ready for you now.
3. Configuring Windows NLB
Then the next step is to Install Windows NLB for both OWA Servers in order to configure the Load
balancing
Open up Server Manager and Click Add Roles and Features from the top. This has to be done in both
OWA servers.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Just Click next on the first Screen
Leave the Default Selection here and hit Next
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Default choice here too and hit Next to proceed
Select the Network Load Balancing from the Feature list and hit Next to Install the feature then
restart the server if prompted.
That Installed NLB feature for us and now let’s Setup Load Balancing Cluster. Open up Windows NLB
Console from the primary Machine (OWA1). Make sure both Nodes are now ready with IP, Host
Names, NLB Feature.
Right Click on the top level and Create a New Cluster
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Provide the Name or IP of the Primary Server which will host the Cluster (Local Server). It will
automatically resolve the IP and display the interface for you. Simple hit Next to proceed.
Leave these settings as it is unless you need a specific configuration for IP and Network Interfaces
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Next Step is to define the Cluster IP. At this scenario it will be 192.168.150.132
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
IP Address will be already selected and define the FQDN of the Cluster name here and choose Operation
mode based on your network. This server only got a single Network Interface so it has to be Multicast.
If you have Multiple Interfaces, you may choose Unicast Mode to make it function properly.
Hit Next to go ahead
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
You can edit the Port Rules to customize Ports or Protocols but not really necessary to get this
function. Leaving the defaults will bring us what we need in this case.
If all went well, you can see the Cluster is created with the defined name and settings and Primary
Host is added/Started with green health status.
Let’s go ahead and Add the second node here. Right Click on the Cluster Name and Add Host to
Cluster
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Type the Host Name or IP of your Secondary OWA Machine (OWA2 at this Case). Make sure it can
communicate with the primary host and Windows Firewall Exceptions are added or Switched off so
nothing will block the communication at this point.
If all good, it will resolve the IP over Name and Name over IP as below. Just Hit next to proceed.
Leave the Priority to Default (2) and State as Started
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
And then the Port Rules. Load Left as Equal and you can define if you need. Leave it as Default for
better load Sharing.
Give it a moment
And Both nodes will come online and appear as Healthy if you have configured it properly.
To Verify the Availability of the Cluster, lets ping the Name. do it from one of the SharePoint Machine
so you can identify any issues in the network.
So the NLB Cluster is All Set for us. Next is to Prepare the OWA Servers with SSL Certificates.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
4. Configure SSL Certificates for OWA HTTPS
We are using Active Directory Certificate Service to Issue Web Server Certificates for our OWA Farm
which will only be trusted and validated within the domain Network. For External Networks Such
as Internet you need to purchase a Genuine SSL Certificate from a Third party vendor such as
Verisign.
If you use Internal Certificates (Such as the one used in this scenario) your OWA WOPI URL will not
be Valid for External Access and It Will Prompt the security Message with critical warning of
content. So for Production environments, always use a valid Certificate.
Setting UP SSL
Open up Active Directory Certificate Services from your AD. At this point, our NORTHWIND AD will
be the ultimate Certification Authority.
If you do not have this feature in your AD. You can Get it installed via Server manager Roles and
Feature Installation Wizard.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
This Server Already has it Installed so it’s just to go ahead. Expand the Server and hit Manage
Now the Certificate Templates Console will be Opened for you in Edit mode. Right Click on the Web
Server Template and Direct to Properties.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Add the Computer Accounts (OWA1.Northwind.Int |OWA2.Northwind.Int) of your OWA Servers
and the Service Account which will be using to setup OWA Farm for following Permissions. This will
enable the Web Server Certificate Template to Enroll from these Two Servers.
Change Object types to following types.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Allow all three objects for Read and Enroll Permissions.
That’s all from the Active Directory Side. Let’s move back to the OWA Servers and Open up
MMC.EXE to Obtain Certificates.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
From the Console Root, Add/Remove Snap-In
Select Certificates
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Expand the Certificates Root and Drill down to Personal. Right click on Personal and Request a New
Certificate
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
New Certificate Enrolment Wizard will be prompted for you. Just Hit next to proceed
Active Directory Enrollment Policy will be selected by Default here so nothing much to do/ Hit Next
here.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
You will then see the Web Server Policy is highlighted with the Exclamation Mark. Click on the
Message there.
That will bring you to the Certificate Properties where you will be providing all the details of this
certificates. Select the Subject Name Type as “Common Name” and Alternative Name Type as
“DNS”. Value for both of these field can be the same which is our OWA Farm Name. Basically this
Certificate will be dedicated to the OWA Farm. It won’t validate any other purposes. Yet this may
depend on your scenario and Environment.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Once Entered, Add them to the selection on the right side.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Direct to the General Tab and Provide the same Value for Friendly Name. Friendly name is the
Name that you will use to recognize this Certificate at later time when you are pointing this
Certificate from other Applications. Description Could be any.
Hit Apply to Complete
Then the Exclamation Message will be gone as you have successfully completed the Indexing of
Information of the Certificate. Simply Check the Web Server Check box and Hit Enroll to obtain the
Cert.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Give it a few seconds and If everything good, the certificate will be successfully enrolled. If you are
getting an error here saying that “Server or Service Unavailable”, You might need to restart the
Certificate Server Service at your AD Server.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
We can now see the Certificate at the Certificate Store
Repeat the same for secondary OWA (OWA2) Server as well and then it completes our SSL
Certificate Configuration Part.
5. Installing Office Web Apps Server 2013
Here Comes the real thing. As we have completed almost all the Prerequisites and Background
Preparations for OWA Farm, we can proceed to the Installation and Farm Deployment.
Log in to the OWA Servers using the domain Account (Northwind\sp_farm_svc) you have crated. In
this case it’s going to be the SharePoint Farm Account which will be used to Install OWA.
Map the Office Web Apps Server 2013 ISO (With Service pack 1) and Run it.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
As Always, you have agree to the License terms and Continue to Proceed then.
The Success Message will be appeared in just Few Minutes If everything went well.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Now the Most Important Steps. Configuring the OWA farm is done through PowerShell. Best Tool
for this is PowerShell ISE. From the OWA1 Right click on PowerShell Icon and Run ISE as
Administrator
To Create the New OWA Farm. Run the Following Script. If you are using SSL Offloading the
Parameters will be bit different.
New-OfficeWebAppsFarm -Verbose -InternalUrl https://OfficeApps.Northwind.int -CertificateName OfficeApps.Northwind.Int -ClipartEnabled -TranslationEnable -EditingEnabled
-Verbose (This Switch is to display the status)
-InternalUrl (This is the Internal Url referred from SharePoint Later)
-EditingEnabled (This will allow your users to Edit Documents in Browser itself)
-CertificateName (You can Define your SSL Cert using this Parameter. Or you can do it yourself
manually via IIS Later)
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
-ExternalUrl (Can be Defined in addition to InternalUrl Swith if you are setting up an External
Scenario)
If all went well, you will see the Result as above. And under the Machines it will show the OWA1
which is our Primary OWA Server in this farm.
Check the IIS to verify the Web Applications Creation and SSL Certificate Assignment
Open IIS manage and Check if These Two Web Applications are created
Note the Certificate Binding under the Site Bindings on the Right Panel
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
6. Joining Secondary OWA machine to the Farm
Next step is to Join our Second Machine to the OWA Farm. Login to the OWA2 Machine using the
same Domain credentials you used to Setup OWA1.
Open the PowerShell ISE as Administrator and run the Following from OWA2.
New-OfficeWebAppsMachine -MachineToJoin OWA1
-MachineToJoin (This switch is to Define your Primary OWA Server Name). basically this is the Master Machine.
That’s all from the OWA Farm Side. Next step is to Integrate OWA Farm to SharePoint but before that Let’s test our setup.
7. Testing the OWA farm Simply try the Hosting Discovery URL from a Different Server (SharePoint Server Will do) https://officeapps.northwind.int/hosting/discovery If you are Retrieving this XML Page as below with the parameters. It means you are all good to go.
Discovery URL working Means that your OWA Farm is accessible and Functioning well. so the next step is to Integrate OWA for SharePoint. Sometimes the Hosting URL may not work within the OWA Servers itself due to the loopback checking, best thing is you can check it outside the OWA Servers
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
The URL will not show any Warnings about the Certificate or Trust because it is valid internally within our Northind.Int Domain Environment. It will not be valid for Outside access unless it’s a valid External Certificate from a Vendor.
8. Integrate Office Web Apps with SharePoint 2013
SharePoint Environment is already done with a Host Named Site Collection which is also using HTTPS. This Scenario is fully setup for HTTPS in order to test the production level functionality. If you are using HTTPS for OWA Your SharePoint Site must use HTTPS too otherwise there is no point of using HTTPS on OWA. Note: Recommended Way to Deploy OWA is Using HTTPS with a Valid SSL Certificate. HTTP is not recommended and it meant only for testing and Developmental Environments only. In this scenario, we are using https://intranet.Northwind.Int Host header Site Collection for Integration testing. Below is the Default SharePoint Site which has some Sample documents uploaded and all good to go in SharePoint Side. This SharePoint Farm also has two WFE Servers with NLB configured and this URL is fully load balanced with NLB.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Login to Your SharePoint APP Server and Run the Following in SharePoint Shell or PowerShell ISE.
From SharePoint Shell
New-SPWOPIBinding -Server OFFICEAPPS.NORTHWIND.INT
From PowerShell ISE
Add-PSSnapin Microsoft.SharePoint.Powershell -EA 0
New-SPWOPIBinding -Server OFFICEAPPS.NORTHWIND.INT
-Server (This parameter to Define Your OWA Farm Name. Not the Name of any OWA Machines)
If all Went well, you will see the above result. With defined Inputs such as Zone, Server Name etc…
That’s all from the SharePoint Fram side.
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Let’s test out the functionalities from SharePoint Side now.
Note: Do not use Farm Account to test OWA. You must use a Different user account to test this as
SharePoint Farm account is not allowed to open Documents from browser for security reasons.
Preview of a Document in Browser in WOPI Frame
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
Opening a Document
Editing a Document in Brower
Manoj Viduranga Karunarathne | http://manojviduranga.wordpress.com
9. Glossary
Server Did Not Respond - Error when Adding WOPI Zone in SharePoint - If you already have some other WOPI Zones this could happen, Or else Due to an Invalid Certificate on OWA Server.
Hosting/discovery Doesn’t Load - Mostly this happens if you try to open it from the OWA server itself. Try from another server. Also try to add the secondary Server and then load the URL.
Issue the Certificate for the Relevant Name - IF OWA1 (OWA1) or if OfficeApps.Northwind.int: Cert has to be for the same Name if it’s a SAN Cert.