Plan Office Web Apps Server

Office Web Apps
 

Si applica a:Office Web Apps Server

Ultima modifica dell'argomento:2017-03-09

Summary: Describes Office Web Apps Server requirements and prerequisites, including HTTPS, certificates, virtualization, load balancing, topologies, and security.

Audience: IT Professionals

server Office Web Apps delivers browser-based versions of Office apps in an on-premises environment, giving users more flexibility and collaboration opportunities. This article describes the requirements and steps you need to take to install server Office Web Apps in your organization.

It’s important to carefully plan so that all hosts, such as SharePoint 2013, Exchange Server 2013, and Lync Server 2013, can communicate with the server Office Web Apps. For additional guidance about configuring hosts, see the following resources:

NotaNota:
Prodotti SharePoint 2010 can’t be a host for server Office Web Apps. server Office Web Apps isn’t supported by SharePoint Foundation 2010 or SharePoint Server 2010.

In this article:

You can install server Office Web Apps as a single-server server Office Web Apps farm, or as a multi-server, load-balanced server Office Web Apps farm. You can use physical servers or virtual machine instances, but you can’t install other server applications (such as SharePoint 2013 or SQL Server) on the same server as server Office Web Apps.

In environments that contain actual user data, we always recommend that you use HTTPS, for which you’ll have to obtain a certificate. If you’re using multiple servers in your farm, you’ll have to configure a hardware or software load-balancing solution. You can learn more about these scenarios in the following sections.

server Office Web Apps uses the same minimum hardware requirements as SharePoint Server 2013. You can find the full set of SharePoint 2013 requirements in Requisiti hardware: server Web, server applicazioni e installazioni a server singolo.

You can run server Office Web Apps on the following operating systems:

  • The 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter with the Update for Windows Server 2008 R2 x64 Edition installed

  • The 64-bit edition of Windows Server 2012 Standard or Datacenter

  • The 64-bit edition of Windows Server 2012 R2. To use this operating system, you must use Office Web Apps Server Service Pack 1 (SP1).

All servers in the server Office Web Apps farm must be part of a domain. They can be in the same domain (recommended) or in domains that are in the same forest. However, server Office Web Apps won’t work if you try to install it on a domain controller.

First, here are a few things you should NOT do when deploying server Office Web Apps.

  • Don’t install any other server applications on the server that’s running server Office Web Apps. This includes Exchange Server, SharePoint Server, Lync Server, and SQL Server. If you have a shortage of servers, consider running server Office Web Apps in a virtual machine instance on one of the servers you have.

  • Don’t install any services or roles that depend on the Web Server (IIS) role on port 80, 443, or 809 because server Office Web Apps periodically removes web applications on these ports.

  • Don’t install any version of Office. If it’s already installed, you’ll need to uninstall it before you install server Office Web Apps.

  • Don’t install server Office Web Apps on a domain controller. It won’t run on a server with Active Directory Domain Services (AD DS).

Now for the items you DO need to install. See the following table for details.

ImportanteImportante:
server Office Web Apps is only available for download from the Volume Licensing Service Center (VLSC). To download server Office Web Apps you must have a license, under a Volume Licensing agreement, for Office Professional Plus 2013, Office Standard 2013, or Office per Mac 2011. The download is located under those Office products on the VLSC portal.

Downloads, server roles, and features that are required for Office Web Apps Server

Download, server role, or feature If you’re installing on Windows Server 2008 R2 If you’re installing on Windows Server 2012 If you’re installing on Windows Server 2012 R2

Download: Office Web Apps Server

Office Web Apps Server

Office Web Apps Server

Office Web Apps Server

Download: Office Web Apps Server SP1

Recommended

Recommended

Office Web Apps Server SP1

Download: Correct version of .NET Framework

.NET Framework 4.5

.NET framework 4.5 is already installed

.NET Framework 4.5.2

Download: Update for Windows Server 2008 R2 x64 Edition

Update for Windows Server 2008 R2 x64 Edition

Not applicable

Not applicable

Download: Windows PowerShell 3.0

Windows PowerShell 3.0

Already installed

Already installed

Server role: Web Server (IIS)

Here are the minimum role services required for the Web Server (IIS) server role.

Common HTTP Features

  • Static Content

  • Default Document

Application Development

  • ASP.NET

  • .NET Extensibility

  • ISAPI Extensions

  • ISAPI Filters

  • Server Side Includes

Security

  • Windows Authentication

  • Request Filtering

Management Tools

  • IIS Management Console

The following options are recommended but not required:

Performance

  • Static Content Compression

  • Dynamic Content Compression

Here are the minimum role services required for the Web Server (IIS) server role.

Management Tools

  • IIS Management Console

Web Server

  • Common HTTP Features

  • Default Document

  • Static Content

Security

  • Request Filtering

  • Windows Authentication

Application Development

  • .NET Extensibility 4.5

  • ASP.NET 4.5

  • ISAPI Extensions

  • ISAPI Filters

  • Server Side Includes

The following services are recommended but not required:

Performance

  • Static Content Compression

  • Dynamic Content Compression

Here are the minimum role services required for the Web Server (IIS) server role.

Management Tools

  • IIS Management Console

Web Server

  • Common HTTP Features

  • Default Document

  • Static Content

Security

  • Request Filtering

  • Windows Authentication

Application Development

  • .NET Extensibility 4.5

  • ASP.NET 4.5

  • ISAPI Extensions

  • ISAPI Filters

  • Server Side Includes

The following services are recommended but not required:

Performance

  • Static Content Compression

  • Dynamic Content Compression

Feature: Ink and Handwriting Services

Ink and Handwriting Services

  • Ink Support

Ink and Handwriting Services

  • Ink Support is not required.

Ink and Handwriting Services

  • Ink Support is not required.

server Office Web Apps is fully supported when you deploy it using Windows Server Hyper-V technology. If you plan to virtualize server Office Web Apps, follow these guidelines:

  • Install server Office Web Apps in its own virtual machine instance. Don’t install any other server applications, such as SharePoint 2013, in this instance.

  • It’s okay to install server Office Web Apps in a virtual machine instance hosted by a server running SharePoint 2013.

  • For multi-server server Office Web Apps farms, each instance should be on a separate virtual machine host. This way, the server Office Web Apps farm will still be available if one of the hosts fails.

Firewalls can cause problems by blocking communication between the web browser, the servers that run server Office Web Apps, and the servers that run SharePoint 2013. These problems can be more complicated when the servers are in different parts of a network.

Make sure the following ports aren’t blocked by firewalls on either the server that runs server Office Web Apps or the load balancer:

  • Port 443 for HTTPS traffic

  • Port 80 for HTTP traffic

  • Port 809 for private traffic between the servers that run server Office Web Apps (if you’re setting up a multi-server farm)

We recommend a load balancing solution when you run server Office Web Apps on two or more servers. Just about any load balancing solution will work, including a server that runs the Web Server (IIS) role running Application Request Routing (ARR). In fact, you can run ARR on one of the servers that runs server Office Web Apps. If you don’t have a load balancing solution, take a look at these resources for using IIS with ARR:

Ideally, try to find a load balancing solution that supports the following features:

  • Layer 7 routing

  • Enabling client affinity or front-end affinity

  • Enabling SSL offloading

If you use a load balancer, you’ll need to install the certificate on the load balancer as described under Securing Office Web Apps Server communications by using HTTPS.

In environments that use HTTPS and load balancing, you have to update DNS so that the fully qualified domain name (FQDN) of the certificate resolves to either the IP address of the server that runs server Office Web Apps or to the IP address assigned to the load balancer for the server Office Web Apps farm.

server Office Web Apps 2013 Language Packs enable users to view web-based Office files in multiple languages from SharePoint 2013 document libraries, Outlook Web App (as attachment previews), and Lync 2013 (as PowerPoint broadcasts). But, this depends on the languages that are configured on the host. To view web-based Office files from hosts in multiple languages, you must have the following in place:

  • The host (such as SharePoint Server 2013, Exchange Server 2013, or Lync Server 2013) is configured to run applications in additional languages. The process of installing and configuring language packs on the host is independent of installing a language pack on the server Office Web Apps farm.

  • The languages are installed and are available on all servers in the server Office Web Apps farm.

Here’s where to download the language packs for Office Web Apps Server.

At a minimum, an server Office Web Apps topology will include one physical or virtual machine running server Office Web Apps, and at least one host (for example, a server running Exchange Server 2013, Lync Server 2013 or SharePoint 2013). And of course, you’ll need a client PC or device to connect to one of the hosts and use the Office Web Apps functionality. From that minimal topology, you can add more hosts and more servers to your server Office Web Apps farm as required to suit the needs of your organization.

The following is a list of recommendations that you should keep in mind as your server Office Web Apps topology gets more complex.

  • Plan for redundancy. If you use virtual machine instances, make sure you put them on separate virtual machine hosts for redundancy. It’s okay if other instances on the host run server applications—just don’t run other server applications on the same instance as server Office Web Apps.

  • Stick to one data center. Servers in an server Office Web Apps farm must be in the same data center. Don’t distribute them geographically. Generally you need only one farm, unless you have security needs that require an isolated network that has its own server Office Web Apps farm.

  • The closer the hosts, the better. The server Office Web Apps farm doesn’t have to be in the same data center as the hosts it serves, but for heavy editing usage, we recommend you put the server Office Web Apps farm as close to the hosts as possible. This is less important for organizations that use Office Web Apps primarily for viewing Office files.

  • Plan your connections. Connect all servers in the server Office Web Apps farm only to one another. To connect them to a broader network, do so through a reverse proxy load balancer firewall.

  • Configure the firewall for HTTP or HTTPS requests. Make sure the firewall allows servers running server Office Web Apps to initiate HTTP or HTTPS requests to hosts.

  • Plan for incoming and outgoing communications. In an Internet-facing deployment, route all outgoing communications through a NAT device. In a multi-server farm, handle all incoming communications with a load balancer.

  • Make sure all servers in the server Office Web Apps farm are joined to a domain and are part of the same organizational unit (OU). Use the FarmOU parameter in the New-OfficeWebAppsFarm cmdlet to prevent other servers that are not in this OU from joining the farm.

  • Use Hypertext Transfer Protocol Secure (HTTPS) for all incoming requests.

  • If you have IPsec deployed in the network, use it to encrypt traffic among the servers.

  • Plan for Office features that use the Internet. If features such as clip art and translation services are needed, and the servers in the farm can’t initiate requests to the Internet, you’ll need to configure a proxy server for the server Office Web Apps farm. This will allow HTTP requests to external sites.

The following information introduces security guidance for server Office Web Apps.

server Office Web Apps can communicate with SharePoint 2013, Lync Server 2013, and Exchange Server 2013 by using the HTTPS protocol. In production environments, we strongly recommend that you use HTTPS. You’ll have to install an Internet Server certificate that can be assigned to the server that runs server Office Web Apps (if you are using a single server) or to the load balancer (if you are using multiple servers that run server Office Web Apps).

In test environments that contain no user data, you can use HTTP for SharePoint 2013 and Exchange Server 2013 and skip the certificate requirement. Lync Server 2013 supports only HTTPS.

Certificates used by server Office Web Apps need to meet the following requirements:

  • The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your server Office Web Apps farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the response.)

  • The certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate.

  • The Friendly name field must be unique within the Trusted Root Certificate Authorities store. If you have multiple certificates that share a Friendly Name field, farm creation will fail because the New-OfficeWebAppsFarm cmdlet won’t know which of those certificates to use.

  • server Office Web Apps doesn’t require any special certificate properties or extensions. For example, Client Enhanced Key Usage (EKU) extensions or Server EKU extensions are not required.

  • On Windows Server 2012 or Windows Server 2012 R2, you must install the "Allow HTTP Activation" Windows Communication Foundation (WCF) feature.

The certificate must be imported as follows:

  • For single-server farms   You must import the certificate directly on the server that runs server Office Web Apps. Don’t bind the certificate manually. The New-OfficeWebAppsFarm cmdlet you run later will do this for you. If you bind the certificate manually, it’ll be deleted every time the server restarts.

  • For load-balanced farms   If you’re offloading SSL, the certificate must be imported on the hardware load balancer. If you’re not offloading SSL, you’ll need to install the certificate on each server in the server Office Web Apps farm.

NotaNota:
Don’t use self-signed certificates except in non-critical test environments.

For more information about certificates, see How to Obtain an SSL Certificate.

When you set up a new server Office Web Apps farm, SSL offloading is set to Off by default. If you’re using a hardware load balancer, we recommend you set SSL offloading to On so that each server Office Web Apps in the farm can communicate with the load balancer by using HTTP. Setting SSL offloading to On also provides the following advantages:

  • Simplified certificates management

  • Improved soft affinity

  • Improved performance

Note that when you use HTTP, traffic from the load balancer to the servers that run server Office Web Apps isn’t encrypted, so you need to make sure the network itself is secure. Use of a private subnet can help protect traffic.

You can prevent unauthorized servers from joining an server Office Web Apps farm by creating an organizational unit for those servers and then specifying the FarmOU parameter when you create the farm. For more information about the FarmOU parameter, see New-OfficeWebAppsFarm.

The Allow List is a security feature that prevents unwanted hosts from connecting to an server Office Web Apps farm and using it for file operations without your consent. By adding the domains that contain approved hosts to the Allow List, you can limit the hosts to which server Office Web Apps allows file operations requests, such as file retrieval, metadata retrieval, and file changes.

You can add domains to the Allow List after you’ve created the server Office Web Apps farm. To learn how to add domains to the Allow List, see New-OfficeWebAppsHost.

ImportanteImportante:
If you do not add domains to the Allow List, server Office Web Apps allows file requests to hosts in any domain. Don’t leave this list blank if your server Office Web Apps farm can be accessed from the Internet. Otherwise, anyone can use your server Office Web Apps farm to view and edit content.

By default, Online Viewers functionality is enabled after you install server Office Web Apps. Review the following guidelines if you’re planning to use Online Viewers in your organization. In some cases, you might want to disable some features within Online Viewers. These guidelines refer to parameters that are set by using the Windows PowerShell cmdlets New-OfficeWebAppsFarm and Set-OfficeWebAppsFarm.

Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files. We strongly recommend that the server Office Web Apps farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because server Office Web Apps doesn’t differentiate between requests for intranet and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed.

For the same reason, if you have set up the server Office Web Apps to connect only to the Internet, we strongly recommend that you disable UNC support in Online Viewers. To disable UNC support, set the OpenFromUncEnabled parameter to False by using the Windows PowerShell cmdlets New-OfficeWebAppsFarm (for new farms) or Set-OfficeWebAppsFarm (for existing farms).

As an additional security precaution, Online Viewers are limited to viewing Office files that are 10 MB or less.

You can configure Online Viewers by using the following Windows PowerShell parameters in New-OfficeWebAppsFarm (for new farms) or Set-OfficeWebAppsFarm (for existing farms).

  • OpenFromUrlEnabled   Turns the Online Viewers on or off. This parameter controls Online Viewers for files that have URL and UNC paths. By default, this parameter is set to False (disabled) when you create a new server Office Web Apps farm.

  • OpenFromUncEnabled   When Online Viewers are turned on (set to True by using OpenFromUrlEnabled), this parameter turns on or off the ability for Online Viewers to display files in UNC paths. By default, this parameter is set to True, but make sure OpenFromUrlEnabled is also set to True before you enable opening files from UNC paths. As described earlier, we recommend you set this parameter to False if you have set up server Office Web Apps to connect to the Internet.

  • OpenFromUrlThrottlingEnabled   Throttles the number of “open from URL” requests from any given server in a time period. The default throttling values, which are not configurable, make sure that an server Office Web Apps farm does not overwhelm a single server by sending requests for content to be viewed in the Online Viewers.

Before deploying server Office Web Apps, you need to decide how your organization will manage software updates to your server Office Web Apps farm. Although software updates help improve server security, performance, and reliability, installing updates incorrectly can cause issues with the server Office Web Apps.

Applying server Office Web Apps updates by using the Microsoft automatic updates process isn’t supported with server Office Web Apps. Updates to an server Office Web Apps must be applied in a specific way, as described in Applicare aggiornamenti software al server Office Web Apps. If server Office Web Apps updates are applied automatically, users might be unable to view or edit documents in Office Web Apps. If this happens, you have to rebuild your server Office Web Apps farm.

We recommend that you manage updates by using Windows Server Update Services (WSUS) or by using System Center Configuration Manager, which uses WSUS. WSUS allows you to fully manage the distribution of updates that are released through Microsoft Update for each server in the server Office Web Apps farm. By using WSUS, you can decide which updates can be automatically applied to the server farm and which updates, such as server Office Web Apps updates, have to be manually applied. For more information about WSUS, see Windows Server Update Services.

If you do not use WSUS or System Center Configuration Manager, set Microsoft automatic updates on each server in the server Office Web Apps farm to Automatically download but notify user for install. When you’re notified of an server Office Web Apps update, follow the steps in Applicare aggiornamenti software al server Office Web Apps. To have Windows updates applied and keep your servers secure, accept the Windows updates when you’re notified that updates are available.

Mostra: