Configuring Office Web Apps in SharePoint 2013
As you know or will soon learn, Office Web Apps in SharePoint 2013 is no longer a service application that is part of your SharePoint farm. Instead it is installed as a separate farm, which provides a number of advantages, such as reuse between multiple SharePoint and Exchange farms, a separate patching schedule, etc. It can be a little confusing at first though, to figure out how to connect an Office Web Apps farm to a SharePoint farm. What follows here are the installation pre-requisites for Office Web Apps and information about how to connect these farms together.
Office Web Apps does not have a prerequisites installer like SharePoint 2013 does so you may need to install these components separately before you starting installing.
- Install PowerShell 3.0 (RC1 is the latest version at this time: https://www.microsoft.com/en-us/download/details.aspx?Id=29939)
- Install .NET 4.5 (RC is the latest version at this time: https://www.microsoft.com/visualstudio/11/en-us/downloads#net-45). IMPORTANT: If the installer shuts down any of the .NET listeners during installation, you MUST reboot the server prior to installing WAC. Otherwise you will find numerous errors about endpoint not found, not listening, or connection refused in the Office Web Apps application node in the Event Viewer and you will not be able to render any documents.
- Install this hotfix: https://www.microsoft.com/download/en/details.aspx?id=27928
UPDATE: I wanted to update with some additional information on this for RTM and Windows Server 2012. Part of the difficulty in providing this guidance before we ship is that things change. Here's the latest experiences when using RTM builds on Windows Server 2012:
- You don't need to do any of the three steps above.
- You need to start PowerShell as an administrator.
- You need to add the WAC admin module as follows: import-module "C:\Program Files\Microsoft Office Web Apps\AdminModule\OfficeWebApps\OfficeWebApps.psd1"
You will need to jump through a couple of hoops on Server 2012 to get all the pre-reqs in place. You need to:
- Install the IIS, .NET 4.x, and the Ink and Handwriting Services (no idea why on that last one)
- After all that's finished you have to go back add additional features to that service:
- "ASP.NET 4.5"
- ".NET Extensibility 4.5"
- "ISAPI Extensions"
- "ISAPI Filters"
- "Server Side Includes"
You can now install Office Web Apps. Once it’s installed, you need to either create a new Office Web Apps farm, or join your server to an existing farm. In this case I’m just going to describe how to create a new farm; to get the PowerShell to add a server to a farm just do a get-command *office* in PowerShell. To create the farm do the following:
- Open PowerShell by going to Start…Run and typing powershell.
- To use HTTPS with WAC (recommended):
- Create an SSL certificate that will be used with the fully qualified domain name of the server; make note of the friendly name you use when you create the certificate. You should use IIS to request the certificate to ensure that it gets created in the correct certificate store.
- Provision the WAC farm with this PowerShell command: New-OfficeWebAppsFarm -Verbose -InternalUrl https://<machinename> -ExternalUrl https://<fully.qualified.machine.name> -CertificateName <FriendlyNameOfCertificateFromPreviousStep> -ClipartEnabled -TranslationEnable
- To use HTTP with WAC (not recommended):
- Provision the WAC farm on the WAC server with this PowerShell command: New-OfficeWebAppsFarm -Verbose -InternalURL https://<machinename> -ExternalUrl https://<fully.qualified.machine.name> -AllowHttp -ClipartEnabled –TranslationEnabled
Now that your Office Web Apps farm is up and running, you can connect your SharePoint farm. To do that, login to any server in your SharePoint farm and open the SharePoint PowerShell command window. Use the following command to connect to the Office Web Apps farm:
- To use HTTPS with WAC (recommended):
- Create the connection to WAC with this PowerShell command: New-SPWOPIBinding -ServerName <fully.qualified.machine.name of WAC server>
- To use HTTP with WAC (not recommended; Note – will not work if you did not configure Office Web Apps to support HTTP):
- Create the connection from the SharePoint farm to the WAC farm with this PowerShell command: New-SPWOPIBinding -ServerName <NameOfWacServer> -AllowHTTP
- Run the following command on the SharePoint server (note there's no "s" at the end): Set-SPWopiZone internal-http
Generally speaking, you should configure Office Web Apps to use HTTPS. The reason for that is that you can only have one WopiZone binding per SharePoint farm, HTTP or HTTPS. If you ever have both HTTP and HTTPS web apps zones, you will need Office Web Apps to be HTTPS. If it's HTTP only, you will get mixed content warnings when you are in an HTTPS site and you try and render HTTP Office Web Apps. However if you try to render HTTPS Office Web Apps in an HTTP web app zone you will not get any warnings. In addition, since the access token is passed between SharePoint and the Office Web Apps servers it is safer to have the traffic encrypted with SSL so that it cannot be sniffed out and replayed.
UPDATE: One final note worth making here. When you create the New-SPWopiBinding to the web apps farm, it will use the server name you provide and expect it to be HTTPS. That means if you say your ServerName is wac.foo.com, then it will try and contact it at https://wac.foo.com. If you do not have an SSL certificate with a common name of wac.foo.com bound to the IIS server that the web apps is using, then the New-SPWopiBinding will fail and tell you that it can't find the server. There other thing to note is that THIS IS NOT NECESSARILY THE SERVER NAME SHAREPOINT WILL USE TO REQUEST WAC CONTENT!! The server name it will use is actually contained in a discovery document on the web apps server. If you navigate to https://wac.foo.com/hosting/discovery then you should get the XML document it uses, and it will show the names it is using for both the internal and external zone (web apps only have two zones, it is not like SharePoint).
The reason I bring this up is because what I found is that after I run the New-SPWopiBinding cmdlet on SharePoint, by default it is setting the current WOPI zone as internal-https. However, I use a fully qualified domain name for my WAC endpoint. So instead of SharePoint requesting web apps at https://wac.foo.com, it makes the request to https://wac. The problem then is that your SSL certificate on the web apps servers does not match the request coming from SharePoint, so you will get a random and varying assortment of errors. The solution to this is to change your WOPI zone in SharePoint with the Set-SPWopiZone cmdlet, i.e. Set-SPWopiZone external-https. That will make SharePoint use the external name in the discovery document, which should be https://wac.foo.com. Many thanks to Yanlin for helping me track this down!