Office Web Apps server security question
Hello,
According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
"Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
Just trying to make sense of this. I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server. So does that mean I should not publish that server to the internet? And if I do
not, does that mean my users will not be able to share a powerpoint presentation at all to external users? If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
Thanks for any help you can provide for this confusion.
No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync. You can't really have two with Lync for this purpose anyway. Users will upload PowerPoint presentations to it when it's time to share,
no editing is possible, and the risk is generally minimal. You can shorten the cache time to help if you're concerned.
Regardless, from the article:
http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.". This is set to false and turned off by default.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
Similar Messages
-
Office Web Apps server for Lync DNS question
We are going to deploy an Office Web Apps server for our Lync 2013 clients, available internally and externally. We do not have a split-horizon DNS so it is not possible for wac.foo.com to have a different IP for internal vs. external clients. What is the
best setup for our scenario? It looks like we can only add one address in the Lync topology builder, so would it make sense to send everybody to the external wac.foo.com regardless of whether they are internal vs. external? Or is there a better option?
Thanks,
MattIt might be easiest to use pin-point DNS. Create an internal zone called wac.foo.com with a blank A record that points to the internal IP address of the OWAS/WAC server. This way, wac.foo.com will resolve to the correct
internal address, but you're not setting up a split zone for the rest of foo.com.
This trick can come in handy for publishing other items without recreating the entire zone, it's a nice one to keep in your back pocket.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Office 365 instead of Office Web Apps server?
We don't have an Office Web Apps server deployed. We'd really like to share Powerpoints in Lync with the full user experience, but we don't want to install a standalone server just for Office Web Apps since we wouldn't use it for anything else. We
use Office 365, is there a way to use an FQDN from Office 365 and point to that in topology builder as our Office Web Apps server? We area always loading PowerPoint from the cloud anyways. Is there any way to get around installing a stand alone
OWAS server?
Thanks,
BrandonNo as of today I believe that with Lync server 2013 on premise you do need office web app server on premise
Please remember, if you see a post that helped you please click ;Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph -
Office Web Apps server not working externally
Hopefully someone with a functional OWA server can help. When my users try to share a presentation, whiteboard, or poll as an external user or to an external user (coming through Edge), the content fails to share and this error occurs:
"We can't connect to the server for presenting right now"
The server functions internally fine and content shares perfectly. The OWA server has a certificate from an internal CA and it is published through a TMG reverse proxy. When I hit the discovery URL, it works fine and triggers the reverse proxy
rule. However, when I try to share content, it does not hit the rule.
Thanks for your help!
JimHi,
Looks like the external lync clients can't connect the office web app server. So please check if you publish the web office app to internet correctly.
Please refer this document about Publishing Office Web Apps Server Using a Reverse Proxy Server:
http://technet.microsoft.com/en-us/library/jj204665.aspx
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Sean Xiao
TechNet Community Support -
Office Web Apps Server to One Webapplication
having a farm with 2 WebApplications -> WebApp1 and WebApp2
I would like to have only WebApp2 to utilize the Office Web App server and not the WebApp1 ..
Is this possible?Office Web apps gets registered to the whole farm, but you can modify the settings on all the site collections in Wb App 2 so they don't open in browser by default. With that setting documents will open on the desktop client and not in Office Web Apps.
Here's an article that discusses how to change the setting.
http://technet.microsoft.com/en-us/library/ee837425(v=office.15).aspx
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
Office Web Apps Server SSL Certificate
Hi
I am deploying Office Web App Server for Integration with Lync 2013. I opted for secure communication with SSL Certificate. I want this server available to internal and external users.
I am little confused over CA for Issuance of SSL Certificate. On most of the forums, I found SSL Certificate to be issued by Internal CA. If so, will this also work for external users?
If not, then plz guide me for Generating Certificate Request on Office Web App Server to be submitted to External CA for Issuance of Certificate.
Regards.Hi,
Thanks for your posting in this forum.
I have moved this thread in Lync Server 2013-Management, Planning, and Deployment forum for more dedicated support.
Thanks for your understanding.
Best Regards,
Wendy
Wendy Li
TechNet Community Support -
Office Web Apps Server - Access is denied
Hello,
I was able to create an Office Web Apps server and was able to create a new farm for that server all without any issues, everything works great.
Unfortunately right after creating the farm, when attempting to run any other related powershell commands such as:
Get-OfficeWebAppsFarm
Remove-OfficeWebAppsFarm
I get this error in powershell:
Get-OfficeWebAppsFarm : Access is denied.
At line:1 char:1
+ Get-OfficeWebAppsFarm
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-OfficeWebAppsFarm], SecurityAccessDeniedException
+ FullyQualifiedErrorId : System.ServiceModel.Security.SecurityAccessDeniedException,Microsoft.Office.Web.Apps.Adm
inistration.GetFarmCommand
Although everything is actually working on the server, I'd like to be able to use those other commands in the future so I can check configurations, use "Remove" for running updates, etc... Unfortunately it appears as though this Access is
denied error may interfere with those activities.
Has anyone seen this before?
Thank youHi,
According to your post, my understanding is that you failed to run any other related powershell commands after creating the farm for Office Web Apps server.
If the account trying to get OfficeWebAppsFarm does not have local admin access on the machine you will simply get an “Access is denied”.
Please make sure you have the permission to run the commands.
More information:
http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
Thanks,
Linda Li
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Linda Li
TechNet Community Support -
We are planning a upgrade of a SP2010 farm to 2013. There has been a bit of customization so we wish to run the old sites on the new SP2013 platform in SP2010 compatibility mode.
So my question is will Office Web Apps Server 2013 work with the old sites hosted in compatibility mode?
I found a similar query from March 2014 found here
http://sharepoint.stackexchange.com/questions/93101/office-web-apps-2010-running-on-sharepoint-2013-for-compatibility-mode-sites/116281#116281
Has there been an update released to resolve this
Cheers DHi ,
According to your description, my understanding is that you need to know whether Office Web Apps 2013 is working with SharePoint 2013 sites which is in SharePoint 2010 compatibility mode.
For my test, Office Web Apps 2013 with SharePoint 2013 sites which is in SharePoint 2010 compatibility mode is working fine.
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Eric Tao
TechNet Community Support -
Hi !
I have the following questions:
1. Do we use only Web Server (IIS) for this product or we can use other servers : Apache WebServer, other.
2. What files or configuration files of the Office WebApps Server pack contain information about settings and linking to SharePoint2013, Lync2013 and Exchange Server. With other words, via what files does Office WebApps Server perform linking
to SharePoint2013, Lync2013 and Exchange Server?
Thank you!Hi,
this thread offers some discussion and links on Office Web Apps, which may be helpful:
http://social.technet.microsoft.com/Forums/office/en-US/01785458-caec-4720-9182-5ae49a71cbac/does-office-web-apps-server-have-direct-frontend-for-users-?forum=officeitpro
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Office web apps server 2013 install issue
Dear All,
when i install office web apps server in a new server(OS:Windows Server 2008 SP1) with PowerShell Scripts it keep the installing status for more than four hours .
what should i do now ,i think it should not take such long time as i do the same installing in the other server before which takes less than 1 hours.
beg your suggestions!Hey
please take these points into your considerations:
- OWA server can be installed on Windows server 2008 R2 or Windows server 2012
- Log in as administrator and preferred to use domain administrator account specially to create new office web apps farm
- run the script
Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices,NET-Framework-Features,NET-Framework-Core
It takes approximately 20 minutes :)
Also check this link for Required Server Roles, and Features for Office Web Apps
http://technet.microsoft.com/en-us/library/jj219435.aspx
Ahmed Said Moussa SharePoint Consultant -
Office web apps server 2013 - launching search on loading page
Hello!
I use Office Web Apps Server 2013 for viewing documents on internal portal (it is not SharePoint, and documents is read only) with automatic generating links. Links are generated according instruction
on http://<OWA host>/op/generate.aspx (for example, http://<OWA host>/op/view.aspx?src=<path to file>).
I have some questions:
1) In some cases, when a document is openedI want
immediately start the search with some terms.
Can I give terms
to search in url params in generated url? For example, http://<OWA host>/op/view.aspx?src=<path to file>#search=<terms>?
Is there any other
way to run a search on page load?
2) I want to use multi-term search (when my search query is 'tame tamed taming', and
all individual words ('tame', 'tamed', 'taming')
are highlighted in document).
Is there a way to do it?
3)I want to use whole-word search (when my search query is'act', and words 'practice' or 'action' are not
highlighted in document).
Is there a way to do it?Hi Jazzy.em
Thanks for posting in MSDN forum.
This forum is for developers discussing developing issues about
apps for Office. Since the issue is more about Office web app, I suggest that you get more effective response from
Office 365 forum.
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.
Thanks for your understanding.
Regards & Fei
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Office web apps server (2013) certificate issue
If the name of the farm is different from the name of the individual office web apps server machine is there any way to deploy office web apps server with a single domain SSL certificate?
My office web apps server is working, but reporting itself unhealthy, apparently due to the fact that the SSL cert is for the name of the farm and that is different from the name of the machine.
Errors are 2004, 1004, 2156, 1156, "could not establish trust relationship for the SSL/TLS secure channel"
Going to the farm's discovery URL in the browser works fine, but going to the machine name (plus /hosting/discovery) gives an SSL error because the name of the farm is not the same as the name of the machine.
Is there any way to make it use the farm's URL instead of the machine's URL in its own internal watchdog operations? Or any way to make it use a self signed certificate on the machine's URL for it's own health checks and still use the legitimate purchased
SSL cert for user access? Or any other way you can think of to use a $5.99/yr single domain certificate instead of a $89.99/yr multiple domain certificate?
Bill CoulterI am experiencing this same issue. The OWA server has sp1 installed. In the OWA event logs I am getting health fails for 2 events and as best I can tell it seems to be related to this issue.
We are also using a single godaddy certificate with a non machine name FQDN. Both internal and external url's of the OWA farm are set to this same name.
The problem only seems to occur with the 'Proofing Watchdog' (See events below).
Has anyone got any update on whether this is supposed to be fixed ?
<?xml version="1.0" encoding="utf-16"?>
<HealthReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<HealthMessage>ProofingWatchdog reported status for Proofing in category 'PositiveWeb'. Reported status: Spelling attempt exception for "good": System.Net.WebException: The underlying connection was closed: Could not establish
trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
<?xml version="1.0" encoding="utf-16"?>
<HealthReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<HealthMessage>ProofingWatchdog reported status for Proofing in category 'NegativeWeb'. Reported status: Spelling attempt exception for "baad": System.Net.WebException: The underlying connection was closed: Could not establish
trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception -
SharePoint 2013 Anonymous (public) site and Office Web Apps Server 2013 issue with download.aspx
Our organization has a public facing anonymous site in SharePoint 2013 which allows access to documents (docx) in a library. ViewFormsLockdown is activated as we present the documents via CQWP / custom template. We are combating the usual
issue of multiple login prompts when using Internet Explorer when a user accesses said document. We also have tried using the Word Viewer (view only mode) from Office Web Apps Server 2013 which works well, but ...
the problem stems from the fact that users can go the file menu from the word view and choose to download the document (which is what we want), unfortunately it looks like the link redirects via /_layouts/15/download.aspx which also presents a login
prompt. Much has been written out there about doing direct links for documents via /_layouts/download.aspx to address multiple login prompts when the document is opening in word (from IE).
I've tried nearly every combination of recommendations (disabling client integration, browser file handling (permissive/strict), ViewFormsLockdown feature, web.config modifications with options and propfind verbs and more) all to varying levels of success,
but never totally getting rid of the prompt. It has been stated that because the downloads.aspx inherits from Microsoft.SharePoint.ApplicationPages.Download this will not allow anonymous access. We really want to use the word view from the Office
web app and have the file download functionality work from the menu there ... can anyone suggest an alternate fix? I might be wishing but will appreciate any guidance offered ...
cheers,
Dean
some reference links (but not all) for various things we've tried:
http://mohitvash.wordpress.com/2013/06/18/sharepoint-download-a-file-programatically/
http://blog.sharedove.com/adisjugo/index.php/2012/09/29/open-sharepoint-files-in-edit-mode-from-client-applications-and-not-read-only/
http://stackoverflow.com/questions/375390/office-documents-prompt-for-login-in-anonymous-sharepoint-site
http://yalla.itgroove.net/tag/anonymous-access/
GlifnardI'm glad to here that the problem has been fixed. Thank you for sharing your experience here, it will be helpful to other community members who have similar questions.
Cheers,
Steve Fan
TechNet Community Support -
Can i use office web app server without adding to a domain ?
spserver.local is my domain controller webapp.spsserver.local is my office web app server(OWA)(IP:79.123.161.xxx )
I manage to use office web app with sharepoint 2013 my OWA is in a domain (spserver.local) and it's address is http://webapp.spserver.local/hosting/discovery There
is no problem. But I want to seperate OWA with Sharepoint and its domain I want to remove the domain.Is it possible?
For example my OWA's ip is 79.123.161.xxx
I want to work like this: http://79.123.161.xxx/hosting/discovery
When I enter the path http://79.123.161.xxx/hosting/discovery there
is an iis message "File or directory not found."Are you asking if you can have your OWA in different domain compared to SharePoint server domain or are you asking that your OWA does not belong to any domain and you still want to use it with SharePoint?
If your question is regarding using OWA in different domain then I think (someone can correct me if I am wrong) OWA can run into different domain. You just need to add your SharePoint Server host domain to the Allow List for an Office Web Apps Server farm.
http://technet.microsoft.com/en-us/library/jj219459.aspx
If your question is related to OWA not belonging to any domain then I do not think that will work and its not supported scenario. If you read the following article it states
"All servers in the Office Web Apps Server farm must be part of a domain. They can be in the same domain (recommended) or in domains that are in the same forest. However, Office Web Apps Server won’t work if you try to install it on a domain controller."
http://technet.microsoft.com/en-us/library/jj219435.aspx
Amit -
Office web App Server Not Working Properly
Hello Everyone,
We have published Office Web Apps server externally through reverse proxy and it has some issues. Now if we browse the link
https://owas.schs.sharjah.ae/hosting/discovery (Internally) or
https://owa.schs.sharjah.ae/hosting/discovery (Externally) I get the XML Page.
Now when I try to browse any other pages in the directory for example
https://owa.schs.sharjah.ae/op/generate.aspx or another Url like
https://owa.schs.sharjah.ae/m/Presenter.aspx whether it is browsed internally and externally I get the error file not found '404' but the files do exist in the directory.
No idea on how to solve this issue, any help on this matter is really appreciated.
Regards,
Sheldon
MVI - Most Valuable IndianWhat specific issue are you having?
Are you wanting to use the WAC to open files using the URL? If so, have you set OpenFromUrlEnabled to true? You can
check this using Get-OfficeWebAppsFarm cmdlet and Set-OfficeWebAppsFarm OpenFromUrlEnabled $true cmdlet.
I have several Office WebApp instances that I've deployed for Lync PowerPoint sharing where the setting is not enabled and I am also unable to browse to those pages, but PowerPoint sharing works fine.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
www.lynced.com.au | Twitter
@imlynced
Maybe you are looking for
-
Wifi problems on Macbook after Yosemite upgrade
I am having very serious problems with wifi connectivity of my Macbook Pro Retina after upgrading for OS X 10.10 by the end of October . Of course this has a great impact on system usability since almost exclusively use wifi to connect to the network
-
How to disable the Save button For a pdf?
Hi, I have a requirement that when you open the livecycle developed pdf, the Save option available in the toolbar (Save As icon) and File menu of the Reader should be disabled. A button will be provided in the form separately to provide the Save func
-
C++ (Win32) V2.0.3 encoding problem
I've tried to run on WinNT this program: if (ecode = xmlpar.xmlinit()) cout << "Failed to initialize XML parser, error " << ecode << endl;; return 1; if (ecode = xmlpar.xmlparse((oratext *) "testcase.xml", (oratext *) NULL, flags)) return 1; then I r
-
I need to make a copy of an entire email, including the header w/the sender's info and time, etc. to insert into a letter, etc. How can I do this w/out cutting and pasting the header separately from the text. I know there is a way besides a screen
-
Anyone know the size of the fan in the top of the base?
i need to know for replacement purposes. thanks in advance. also, what is the thermal paste all about? where do i put it? why?