Office Web Apps = WAC (Web Application Companion)
Outlook Web Access = OWA
Can be used by SharePoint, Exchange, Lync.
Can be shared between SharePoint Farms.
Used Mail.ru, OneDrive and Yammer.
Based on new WOPI protocol (open, documented) = Web Application Open Plaform Interface
WOPI hosts (SharePoint…); WOPI Apps/Clients (WAC, Office Web App)
Licensing. Free for viewing. Edit licence comes with Office Std/Pro license.
Support ODF 1.2, PDF.
How WAC/WOPI works:
Architecture
3 servers in WAC farm to support high availability and still be able to upgrade/pach the farm.
(recommendation) use session affinity on the load balancer
Office Web Apps = WAC (Web Application Companion)
Outlook Web Access = OWA
Can be used by SharePoint, Exchange, Lync.
Can be shared between SharePoint Farms.
Used Mail.ru, OneDrive and Yammer.
Based on new WOPI protocol (open, documented) = Web Application Open Plaform Interface
WOPI hosts (SharePoint…); WOPI Apps/Clients (WAC, Office Web App)
Licensing. Free for viewing. Edit licence comes with Office Std/Pro license.
Support ODF 1.2, PDF.
How WAC/WOPI works:
Architecture
3 servers in WAC farm to support high availability and still be able to upgrade/pach the farm.
(recommendation) use session affinity on the load balancer
Hardware requirements (min): 4-core x64 CPU, 12GB RAM, 80GB HDD for system, separate drive (~200GB) for cache. Can support up to 20k users. Virtualization is fully supported.
Software requirements for WAC server (Technet)
+ WCF HTTP Activation (NET-WCF-HTTP-Activation on WS2012)
Use WAC server only for WAC. Do not run any other server application on WAC server, do not install Office on WAC server (incl. SharePoint Designer). WAC use ports 443/80 (inbound), 809/810 (interfarm).
Technet:
“Make sure all servers in the Office Web Apps Server farm are joined to a domain and are part of the same organizational unit (OU). Use the FarmOU parameter in the New-OfficeWebAppsFarm cmdlet to prevent other servers that are not in this OU from joining the farm.”
Wictor:
“Place WAC machines in a dedicated OU. It is really important from the security point prospective…”,
“The Farm OU is specified when creating a new WAC farm or using the Set-OfficeWebAppsFarm/ cmdlet. The only caveat with this OU is that it has to be a top level OU in Active Directory. Creating that OU in your or your customers AD might cause some headache, but if you want to use the FarmOU as protection method for your farm it has to be this way. That’s the way it is designed!”
Use SSL/TLS (Lync requires SSL), disable port 80. Use Allow List.
If offloading SSL – remember -SSLOffloaded switch (must use)
Vlad:
The certificate must come from a trusted CA and include the FQDN of your WAC farm in the SAN (Issued to: wac.domain.com). Wildcard certificates are not supported. The FQDN of every server of your WAC farm must be in the SAN of the certificate.
Wictor:
Certificate must contain the FQDN of all WAC servers (or have a wildcard that covers them).
Roles
By default, all WAC-farm machines run all roles. You can specify different roles for different machines. Recomendation is to split roles if you have 50 servers in WAC farm or more.
International: if you want different languages, the host (SharePoint) must have the LP (language pack) installed, as well as WAC farm. Adding LPs is like patching the farm.
SharePoint system account can’t use office Web Apps
WOPI-zones
internal/external + http/https
internal-https by default
internal = NetBIOS, external = FQDN
Exchange only uses external zone
WOPI binding to SharePoint
New-SPWOPIBinding
(only server name -> all bindings, but possible granular bindings
SharePoint allows multiple WOPI Apps, Exchange and Lync – only one)
Excel Web Apps vs Excel services
Remove-SPWOPISuppressionSettings -Action … -Extension …
Remove-SPWOPIBinding -All:$true
PDF-previews require custom code
Get-OfficeWebAppsHost, Set-OfficeWebAppsHost – Manage hostnames that can call the WAC farm (default – all)
specify a domain, “*” is implicit, sub-domains are allowed
Troubleshooting Office Web Apps farm (WAC farm)
- Get-OfficeWebAppsFarm
- Get-OfficeWebAppsMachine (Office Web Apps Health)
- Event Viewer (Applications and Services Logs)
- ULS Viewer ( no need in .net 3.5 with config file)
- ULS Logs (c:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS
- Set-OfficeWebAppsFarm -LogVerbosity Verbose
(must restart every server in the farm,
affect performance – do not leave verbose log settings for a long time) - Host Event Viewer, Host ULS Logs (same correlation Id)
- Fiddler
- deep dive – The WOPI protocol specs
Set-OfficeWebAppsFarm
must restart every server in the farm after some config changes (see technet how)
Check The Version of WAC farm
(Invoke-WebRequest https://wacspc1.corp.local/m/met/participant.svc/jsonAnonymous/BroadcastPing).Headers["X-OfficeVersion"]
Repair-OfficeWebAppsFarm: removes unhealthy servers from the farm
Common issues:
- Unhealthy machine: Intra-farm communication? Certificate? WCF HTTP Activation feature?
- Watchdog process crashes: check ASP.NET performance counters correctly registered
- SharePoint connections: Firewall/Lookup SP<->WAC 80/443? HTTP or HTTPS? Wopi zone?
- UPSA out of sync (if permission was given via AD – user can not edit docs)?
- Security-Hardened Drives: log/cache on non-system drive -> grant permissions to CREATOR OWNER and server\users
#Source: Schannel
#Event ID: 36871
#A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
# 1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.
# 2.In Local Security Settings, expand Local Policies, and then click Security Options.
# 3. Policy, System cryptography, Use FIPS compliant algorithms for encryption, hashing, and signing -> Enabled.
#enable TLS1.2 in OOS $registryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" $Name = "SchUseStrongCrypto" $value = "1" Test-Path $registryPath Get-ItemProperty -Path $registryPath -Name $Name New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD $registryPath = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" $Name = "SchUseStrongCrypto" $value = "1" Test-Path $registryPath Get-ItemProperty -Path $registryPath -Name $Name New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD ############################# # Disable earlier versions of SSL and TLS in Windows Schannel # check $registryPath = @() $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" $registryPath += "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" $registryPath | Get-ItemProperty | select DisabledByDefault, Enabled, PSPath
#############################
#if you are getting errors with Install-PackageProvider : Unable to find repository with SourceLocation ”. Use Get-PSRepository to see all available repositories.
#or Get-PSRepository returns
#PackageManagement\Get-PackageSource : Unable to find module providers (PowerShellGet).
# or Install-Module does not work
#the most likely it’s because “FIPS Cryptography Enabled” on Windows Server 2016 machine.
#
$registryPath = “HKLM:\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy”
$Name = “Enabled”
Test-Path $registryPath
Get-ItemProperty -Path $registryPath -Name $Name
$value = “0”
Set-ItemProperty -Path $registryPath -Name $name -Value $value
Get-ItemProperty -Path $registryPath -Name $Name
##########################################################
Office Web Apps farm (WAC farm) update/support
Important notes:
- CU, PU – monthly basis, includes updates for LPs, install carefully only if they resolve issue you suffer from
- security updates – (comes with windows updates?) – install as soon as you can
- Service Packs – install
- Automatic updates not supported
- update Single-server WAC farm during non-critical hours or maintanance window
- do not remove “master” server from the farm first, remove master last (switch master by Set-OfficeWebAppsMachine -Machine wac67.corp.local
Update single-server Office Web Apps farm (WAC farm)
- Remove WAC server from farm (Remove-OfficeWebAppsMachine)
- Update server (install updates, restart the server)
- Recreate farm
(New-OfficeWebAppsFarm -InternalURL “https://wacfarm.domain.local” -EditingEnabled)
Update multi-server Office Web Apps farm (WAC farm)
- Find master server
(Get-OfficeWebAppsMachine).MasterMachineName
(Get-OfficeWebAppsFarm).Machines
, mind it last one to remove
or switch master by Set-OfficeWebAppsMachine -Master - Remove “slave” machine from NLB, then remove it from WAC farm, update it, recreate farm on that server (same parameters), point NLB to that server
- Remove second server from old WAC farm, update it, join it to new WAC farm, add it to NLB
- …
- (on Host) update proof key or reconnect WAC farm
- Remove last “master” server from old WAC farm, update it, join it to new WAC farm, add it to NLB
(see also WAC Setup Guide)
Based on Wictor Wilén’s:
- https://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC383
- http://www.askwictor.com/Tags/WAC%20Server
and Vlad Catrinescu: