.png)
Plan Office Web Apps Server
Updated: April 16, 2013
Summary : Learn about Office Web Apps Server requirements, such as HTTPS, certificates, virtualization, load balancing, topologies, and security.
Applies to: Office Web Apps Server
Audience : IT Professionals
Office Web Apps Server runs on one or more servers and provides browser-based Office file viewing and editing to multiple hosts throughout your organization. The servers or virtual machine instances that run Office Web Apps Server must be configured identically and run a specific list of roles and services. Careful planning is required to make sure that all hosts, such as SharePoint 2013, Lync Server 2013, and Exchange Server 2013, can communicate with the Office Web Apps Server farm.
Note:
|
|---|
|
SharePoint 2010 Products cannot be a host for Office Web Apps Server. Office Web Apps Server is not supported by SharePoint Foundation 2010 or SharePoint Server 2010. |
Important:
|
|---|
|
This article is part of the Content roadmap for Office Web Apps. Use the roadmap as a starting point for articles, downloads, and videos that help you deploy and manage Office Web Apps. Are you looking for help with Office Web Apps on your desktop or mobile device? You can find this information by searching for "Office Web Apps" on Office.com. |
In this article:
About planning for Office Web Apps Server
This article describes preliminary planning guidance for Office Web Apps Server. Because this product can provide services to multiple hosts, you’ll want to consult the planning guidance for the hosts that you plan to deploy. There may be exceptions or other requirements for Office Web Apps Server that are not described here.
See the following resources for additional guidance.
To download Office Web Apps Server, visit the Microsoft Download Center.
|
Important:
|
|---|
|
If you have installed Office Web Apps Server Preview, the only supported method of upgrading to the RTM version is a complete reformat of the server on which you installed the software. |
Software, hardware, and configuration requirements for Office Web Apps Server
Office Web Apps Server supports two primary installation scenarios: a single-server Office Web Apps Server farm, and a multi-server, load-balanced Office Web Apps Server farm. You can use physical servers or virtual machine instances to run Office Web Apps Server, but you can’t install other server applications, such as SharePoint 2013 or SQL Server, on those servers. In environments that contain actual user data, we always recommend that you use HTTPS, for which you’ll have to obtain a certificate. If you’re using multiple servers in your farm, you’ll have to configure a hardware or software load-balancing solution. Preliminary requirements for all these scenarios are described in the following sections.
Hardware requirements for Office Web Apps Server
Office Web Apps Server uses the same minimum hardware requirements as SharePoint Server 2013. You can find the full set of SharePoint 2013 requirements in Hardware requirements—web servers, application servers, and single server installations. Additional scalability guidance will be provided in future updates to this article.
Supported operating systems for Office Web Apps Server
You can run Office Web Apps Server on the following operating systems:
-
The 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter with KB2592525 installed
-
The 64-bit edition of Windows Server 2012 Standard or Datacenter
|
Important:
|
|---|
|
We recommend that you install Windows Server service packs and cumulative updates as they become available. However, at this point, the only required update is KB2592525 for servers that run Windows Server 2008 R2 SP1. |
Domain requirements for Office Web Apps Server
All servers in the Office Web Apps Server farm must be part of a domain. They can be in the same domain (best practice) or in domains that are in the same forest.
|
Caution:
|
|---|
|
Do not install Office Web Apps Server on a domain controller. |
Server roles, services, and other software that are required for Office Web Apps Server
Before we describe what to install on your servers, we have to tell you what not to install. Review these guidelines carefully:
-
Servers that run Office Web Apps Server must not run any other server application . This includes Exchange Server, SharePoint Server, Lync Server, and SQL Server. If you have hardware constraints, you can run Office Web Apps Server in a virtual machine instance on one of these servers.
-
Do not install any services or roles that depend on the Web Server (IIS) role on port 80, 443, or 809 because Office Web Apps Server periodically removes web applications on these ports.
-
Do not install any version of Office . You must uninstall Office before you install Office Web Apps Server.
-
Do not install Office Web Apps Server on a domain controller . Do not install Office Web Apps Server on a Windows Server that is running Active Directory Domain Services (AD DS).
Now we'll cover what you must install. The details are described in the following table.
Downloads, server roles, and features that are required for Office Web Apps Server
| Download, Server Role, or Feature | Windows Server 2008 R2 | Windows Server 2012 | ||
|---|---|---|---|---|
|
Download : Office Web Apps Server |
||||
|
Download : .NET Framework 4.5 |
Already installed |
|||
|
Download : KB2592525 |
Already installed |
|||
|
Download : Windows PowerShell 3.0 |
Already installed |
|||
|
Server role : Web Server (IIS) |
The following list describes the minimum role services that are required for the Web Server (IIS) server role. Common HTTP Features
Application Development
Security
Management Tools
The following options are recommended but not required: Performance
|
The following list describes the minimum role services that are required for the Web Server (IIS) server role. Management Tools
Web Server
Security
Application Development
The following services are recommended but not required: Performance
|
||
|
Feature : Ink and Handwriting Services |
Ink and Handwriting Services
|
Ink and Handwriting Services
|
Support for virtualizing Office Web Apps Server
Office Web Apps Server is fully supported when you deploy it by using Windows ServerHyper-V technology. If you plan to virtualize Office Web Apps Server, follow these guidelines:
-
Install Office Web Apps Server in its own virtual machine instance. Do not install any other server applications, such as SharePoint 2013, in this instance.
-
If necessary, you can use install Office Web Apps Server in a virtual machine instance that is hosted by a server that runs SharePoint 2013.
-
For multi-server Office Web Apps Server farms, each instance should be on a separate virtual machine host so that the Office Web Apps Server farm will still be available if one of the hosts fails.
Firewall requirements for Office Web Apps Server
Customers often report problems caused by firewalls that are blocking communication between the web browser, the servers that run Office Web Apps Server, and the servers that run SharePoint 2013. Blocked communication can be especially problematic when these different components are in different parts of a network.
Ensure that the following ports are not blocked by firewalls on either the server that runs Office Web Apps Server or the load balancer:
-
Port 443 for HTTPS traffic
-
Port 80 for HTTP traffic
-
Port 809 for private traffic between the servers that run Office Web Apps Server (if you’re setting up a multi-server farm)
Load balancer requirements for Office Web Apps Server
We recommend a load balancing solution when you run Office Web Apps Server on two or more servers. You can use any load balancing solution. This includes a server that runs the Web Server (IIS) role running Application Request Routing (ARR). In fact, you can run ARR on one of the servers that runs Office Web Apps Server. If you don’t have a load balancing solution, here are some resources for using IIS with ARR:
Ideally, the load balancing solution that you choose supports the following features:
-
Layer 7 routing
-
Enabling client affinity or front-end affinity
-
Enabling SSL offloading
If you use a load balancer, you must install the certificate on the load balancer as described in the Securing Office Web Apps Server communications by using HTTPS section of this article.
DNS requirements for Office Web Apps Server
In environments that use HTTPS and load balancing, you must update DNS so that the FQDN of the certificate resolves to either the IP address of the server that runs Office Web Apps Server or to the IP address assigned to the load balancer for the Office Web Apps Server farm.
Planning language packs for Office Web Apps Server
Office Web Apps Server 2013 Language Packs enable users to view web-based Office files in multiple languages from SharePoint 2013 document libraries, Outlook Web App (as attachment previews), and Lync 2013 (as PowerPoint broadcasts). However, this depends on the languages that are configured on the host. To view web-based Office files from hosts in multiple languages, the following must be true:
-
The host (such as SharePoint Server 2013, Exchange Server 2013, or Lync Server 2013) is configured to run applications in additional languages. The process of installing and configuring language packs on the host is independent of installing a language pack on the Office Web Apps Server farm.
-
The languages are installed and are available on all servers in the Office Web Apps Server farm.
For Office 2013, Office Web Apps Server language packs are available in 50 languages. In cases in which the preferred language is not available, Office Web Apps Server selects the most appropriate language that is available.
To download the language packs for Office Web App Server and view installation instructions, visit the Microsoft Download Center
Topology planning for Office Web Apps Server
Here are the guidelines for designing a topology for Office Web Apps Server.
-
All servers in the Office Web Apps Server farm are connected only to one another, and they are all connected to a broader network through a reverse proxy load balancer firewall.
-
Servers that run Office Web Apps Server initiate HTTP or HTTPS requests to hosts. Do not lock down the firewall to prevent these requests. Firewall issues are a common cause of failures for Office Web Apps Server.
-
All outgoing communications are routed through a NAT device, and all incoming communications are handled by a load balancer.
-
All servers in the Office Web Apps Server farm are joined to a domain and are part of the same organizational unit (OU). Use the FarmOU parameter in the New-OfficeWebAppsFarm cmdlet to prevent other servers that are not in this OU from joining the farm.
-
The topology uses Hypertext Transfer Protocol Secure (HTTPS) for all incoming requests.
-
Traffic among the servers is encrypted by using IPsec if you have IPSEC deployed in the network.
-
If features such as clipart and translation services are needed, and the servers in the farm cannot initiate requests to the Internet, a proxy server must be configured for the Office Web Apps Server farm. This will allow HTTP requests to external sites.
-
The Office Web Apps Server farm does not have to be in the same datacenter as the hosts it serves. However, for heavy editing usage, we recommend that you put the Office Web Apps Server farm as close to the hosts as possible. This is less important for organizations that use Office Web Apps primarily for viewing Office files.
-
Servers in an Office Web Apps Server farm must be in the same datacenter. Don’t distribute them geographically. Generally you only need one farm, unless you have security needs that require an isolated network that has its own Office Web Apps Server farm.
-
If you use virtual machine instances, make sure that you put them on separate virtual machine hosts for redundancy. It’s okay if other instances on the host run server applications. Just don’t run server applications on the same instance as Office Web Apps Server.
Example: Topology for Office Web Apps Server
Microsoft IT uses the following topology, which can support up to 200,000 users, based on our testing. In this topology, Office Web Apps Server functionality is deployed by using the following components and services:
-
10 datacenter class servers that are running Office Web Apps Server.
-
Supported operating systems: Windows Server 2008 R2 and Windows Server 2012.
-
RAM: 24 Gigabytes (GB)
-
Processor: Intel Xeon Processor E7 (16 core).
-
Office Web Apps Server is installed on the servers' system drive.
-
All servers are in a single Office Web Apps Server farm.
-
All servers that are in the Office Web Apps Server use identical configurations. The default out-of-the-box Office Web Apps Server configuration settings are used.
-
No Office Web Apps Server server roles are configured.
-
The servers that run Office Web Apps Server are located in the corporate network behind a hardware load balancer.
-
The servers that run Office Web Apps Server are joined to the corporate domain and are in a single Active Directory Domain Service organizational unit (OU) for operational purposes.
-
IPsec is not being used in these computers. Group Policy is applied to exclude IPsec. This is necessary to allow unblocked communications between the servers that run Office Web Apps Server in the corporate network.
-
-
The hardware load balancer (HLB) is dual-homed. The HLB has access to the Internet and to the corporate network. When the Office Web Apps Server farm is configured, the external URL is bound to the virtual IP (VIP) of the external-facing HLB, and the internal URL is bound to the VIP of the internal-facing HLB.The HLB in this topology example uses soft affinity, which relies on Layer 7 load balancing to distribute requests based on the data in application layer protocols such as HTTP. Using soft affinity means that requests for any specific session are routed to the same front end.
-
On the Internet side, a VIP address is used to publish the WAC service over SSL on TCP port 443. This is an Internet-routable IP address that has appropriate permissions and policies in the Internet-facing firewall. This IP space is advertised through a public DNS so that it can be accessed from the Internet.
-
The corporate network side of the HLB communicates directly with the servers that run Office Web Apps Server. An internal VIP and internal DNS entries are used for internal corporate traffic. The following table lists the DNS names and VIP addresses that are used in the example topology for internal and external traffic. The xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy are placeholders for actual VIP addresses.
DNS names and VIP addresses examples
DNS VIP address Description Officewebapps.extranet.contoso.com
xxx.xxx.xxx.xxx
External facing SSL endpoint
Officewebapps.corp.contoso.com
yyy.yyy.yyy.yyy
Internal facing SSL terminated endpoint
-
The HLB is configured to make HTTP requests to each server in the farm to ensure that IIS is running. Unresponsive servers are removed from rotation.
-
The following illustration shows the topology example that includes an Office Web Apps Server farm, a dual-homed hardware load balancer and firewall, Exchange Server 2013, Lync Server 2013 and SharePoint 2013 hosts, and clients.
Based on our performance tests, an Office Web Apps Server, togetherwith two Intel Xeon processors (8 cores), 8 GB of RAM, and a 60 GB hard disk, should support up to 10,000 users where most of the usage is viewing. A server that has a 16 core CPU and 16 GB of Ram should support up to 20,000 users. These results will vary, depending on usage patterns and other factors such as network hardware.
Security planning for Office Web Apps Server
The following information introduces security guidance for Office Web Apps Server.
Securing Office Web Apps Server communications by using HTTPS
Office Web Apps Server can communicate with SharePoint 2013, Lync Server 2013, and Exchange Server 2013 by using the HTTPS protocol. In production environments, we strongly recommend that you use HTTPS. You’ll have to have to install an Internet Server certificate that can be assigned to the server that runs Office Web Apps Server (if you are using a single server) or to the load balancer (if you are using multiple servers that run Office Web Apps Server).
In test environments that contain no user data, you can use HTTP for SharePoint 2013 and Exchange Server 2013 and skip the certificate requirement. Lync Server 2013 supports only HTTPS.
|
Caution:
|
|---|
|
Use of HTTP exposes any data viewed by using Office Web Apps Server to security vulnerabilities. HTTPS is a core part of the security of Office Web Apps Server and we highly recommend that you use it. |
Certificates that are used by Office Web Apps Server must meet the following requirements:
-
The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the response.)
-
The certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate.
-
The Friendly name field must be unique within the Trusted Root Certificate Authorities store. If you have multiple certificates that share a Friendly Name field, farm creation will fail because the New-OfficeWebAppsFarm cmdlet will not know which of those certificates to use.
-
The FQDN in the SAN field must not begin with an asterisk (*).
-
The certificate properties and extensions do not matter. For example, customers have asked us whether Client Enhanced Key Usage (EKU) extensions or Server EKU extensions are required. Office Web Apps Server requires no particular certificate property or extension.
Additionally, the certificate must be imported as follows:
-
For single-server farms You must import the certificate directly on the server that runs Office Web Apps Server. Don’t bind the certificate manually. The New-OfficeWebAppsFarm cmdlet that you run later will do this for you. If you bind the certificate manually, it will be deleted every time that the server restarts.
-
For load-balanced farms If you are offloading SSL, the certificate must be imported on the hardware load balancer. If you are not offloading SSL, you must install the certificate on each server in the Office Web Apps Server farm.
|
Note:
|
|---|
|
Don’t use self-signed certificates except in non-critical test environments. |
For more information about certificates, see How to Obtain an SSL Certificate.
Using SSL offloading for hardware load balancers
When you set up a new Office Web Apps Server farm, SSL offloading is set to off by default. When SSL is offloaded, it allows each Office Web Apps Server in the farm to communicate by using HTTP with the load balancer. However, all references to resources in the HTML are HTTPS references. If you don't set this and you try to use HTTP, users will not be able to see resources or they will see security warnings. When offloading is set to off, SSL terminates at the individual servers that run Office Web Apps Server instead of the hardware load balancer. If you terminate SSL at the load balancer instead, it provides the following advantages:
-
Simplified certificates management
-
Improved soft affinity
-
Improved performance
Traffic from the load balancer to the servers that run Office Web Apps Server is not encrypted, so you need to make sure that the network itself is secure. Use of a private subnet can help protect traffic.
Restrict which servers can join an Office Web Apps Server farm based on OU membership
You can prevent unauthorized servers from joining an Office Web Apps Server farm by creating an organizational unit for those servers and then specifying the FarmOU parameter when you create the farm. See the article New-OfficeWebAppsFarm for more information about the FarmOU parameter.
Limit host access for Office Web Apps Server by using the Allow List
The Allow List is a security feature that prevents unwanted hosts from connecting to an Office Web Apps Server farm and using it for file operations without your consent. By adding the domains that contain approved hosts to the Allow List, you can limit the hosts to which Office Web Apps Server allows file operations requests, such as file retrieval, metadata retrieval, and file changes.
You can add domains to the Allow List after you have created the Office Web Apps Server farm. See the article New-OfficeWebAppsHost to learn how to add domains to the Allow List.
|
Important:
|
|---|
|
If you do not add domains to the Allow List, Office Web Apps Server allows file requests to hosts in any domain. Do not leave this list blank if your Office Web Apps Server farm can be accessed from the Internet. Otherwise anyone can use your Office Web Apps Server farm to view and edit content. |
Planning for Online Viewers
By default, Online Viewers functionality is enabled after you install Office Web Apps Server, Review the following guidelines if you’re planning to use Online Viewers in your organization. In some cases, you might want to disable some features within Online Viewers. These guidelines refer to parameters that are set by using the Windows PowerShell cmdlets New-OfficeWebAppsFarm and Set-OfficeWebAppsFarm.
Security considerations for Online Viewers
Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files. We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the Intranet or the Internet, but not both. This is because Office Web Apps Server does not differentiate between requests for Intranet and Internet URLs. If a request comes from the Internet for an Intranet URL, for example, a security leak might occur if an internal document is served to somebody on the Internet.
For the same reason, if you have set up the Office Web Apps Server to connect only to the Internet, we strongly recommend that you disable UNC support in Online Viewers. To disable UNC support, set the OpenFromUncEnabled parameter to False by using the Windows PowerShell cmdlets New-OfficeWebAppsFarm (for new farms) or Set-OfficeWebAppsFarm (for existing farms).
As an additional security precaution, Online Viewers are limited to viewing Office files that are 10mb or less.
Configuration options for Online Viewers
You can configure Online Viewers by using the following Windows PowerShell parameters in New-OfficeWebAppsFarm (for new farms) or Set-OfficeWebAppsFarm (for existing farms).
-
OpenFromUrlEnabled Turns the Online Viewers on or off. This parameter controls Online Viewers for files that have URL and UNC paths. By default, this parameter is set to False (disabled) when you create a new Office Web Apps Server farm.
-
OpenFromUncEnabled When Online Viewers are turned on (set to True by using OpenFromUrlEnabled), this parameter turns on or off the ability for Online Viewers to display files in UNC paths. By default, this parameter is set to True, but be sure that OpenFromUrlEnabled is also set to True before you enable opening files from UNC paths. As described earlier, we recommend that you set this parameter to False if you have set up Office Web Apps Server to connect to the Internet.
-
OpenFromUrlThrottlingEnabled Throttles the number of open from URL requests from any given server in a time period. The default throttling values, which are not configurable, make sure that an Office Web Apps Server farm does not overwhelm a single server by sending requests for content to be viewed in the Online Viewers.
Planning updates for Office Web Apps Server
Before deploying Office Web Apps Server, you must decide how your organization will manage software updates to your Office Web Apps Server farm. Although software updates help improve server security, performance, and reliability, installing updates incorrectly can cause issues with the Office Web Apps Server.
Applying Office Web Apps Server updates by using the Microsoft automatic updates process isn’t supported with Office Web Apps Server. This is because updates to an Office Web Apps Server must be applied in a specific way, as described in Apply software updates to Office Web Apps Server. If Office Web Apps Server updates are applied automatically, users may be unable to view or edit documents in Office Web Apps. If this happens, you have to rebuild your Office Web Apps Server farm.
We recommend that you manage updates by using Windows Server Update Services (WSUS) or by using System Center Configuration Manager, which uses WSUS. WSUS allows you to fully manage the distribution of updates that are released through Microsoft Update for each server in the Office Web Apps Server farm. By using WSUS, you can decide which updates can be automatically applied to the server farm and which updates, like Office Web Apps Server updates, have to be manually applied. For more information about WSUS, see Windows Server Update Services.
If you do not use WSUS or System Center Configuration Manager, set Microsoft automatic updates on each server in the Office Web Apps Server farm to Automatically download but notify user for install . When you are notified of an Office Web Apps Server update, follow the steps in Apply software updates to Office Web Apps Server. To have Windows updates applied and keep your servers secure, accept the Windows updates when you are notified that updates are available.
Change History
| Date | Description |
|---|---|
|
April 16, 2013 |
Updated recommendation for managing Office Web Apps Server updates. |
|
July 16, 2012 |
Initial publication |
