Lync MVP

Lync MVP
MVP AWARD

Wednesday, September 4, 2013

Deploy Office Web Apps Server 2013 and external publishing

Prerequisites:
First, download the Microsoft Office Web Apps Server from here and the update from here. While it downloads, we can configure the other prerequisites.

Windows Server 2008 R2
If you’re using Windows Server 2008R2, please download Microsoft’s .Net Framework 4.5, download Windows Management Framework 3.0, and download KB2592525, which will allow you to run the applications in a Server 2008R2 environment. Additionally apply KB2670838.
Install all of the above, Then, run this using an elevated PowerShell:

Import-Module ServerManager

Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support
 
Restart the server if you’re prompted to do so.

Windows Server 2012 and Windows Server 2012 R2
you’re using Windows Server 2012, it’s even easier; Just run the following from an elevated  PowerShell (Server 2012 imports the relevant PS modules automatically, so you don’t have to use the “Import-Module” command) :
Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices
Restart the server if you’re prompted to do so.


Install the Microsoft Office Web Apps Server:

Certificate Requirements:

WAC Server
Konfiguration
externalURL
internalURL
AllowHTTP
FALSE
SSLOffloading [1]
FALSE
 
 
CertificateName
OfficeWebApp


WAC Server Sertificate
Konfiguration
Common Name
server.internalDomain.intern
 
 
SAN
server.internalDomain.intern
SAN
webapp.extDomain.de
SAN
server[2]

[1] TRUE, if HLB for SSL Offloading is used
[2] if the WAC Server is deployed without an extenalURL, the NetBIOS name might appear!
 


Now start configuring the WAC server:
New-OfficeWebAppsFarm -InternalUrl "https://internalFQDN" -ExternalUrl "https://externalFQDN" -CertificateName "OfficeWebApp" -EditingEnabled

in Lync you need only the internal Discovery URL:
https://internalFQDN/hosting/discovery

Lync 2013 Server will identify the internal and external URL configured with the WAC Server.
Now we need a verification, that Lync 2013 Frontend has the correct setting.
Filter the Lync FE EventLog for all WAC related events: 41032 and 41034

You will find an entry similar like this:

- System
  - Provider 
     [ Name]  LS Data MCU        
  - EventID 41032
     [ Qualifiers]  17402      
   Level 4
   Task 1018
   Keywords 0x80000000000000
  - TimeCreated
     [ SystemTime]  2013-09-04T11:33:32.000000000Z      
   EventRecordID 5473
   Channel Lync Server
   Computer WACinternal.domain.intern
   Security
- EventData
 
 
SNOOPER TRACING with PowerPoint  in WAC:
 
09/04/2013|14:55:10.399 558:61C INFO  ::
SERVICE sip:thomas.poett@acp-test.de SIP/2.0
Via: SIP/2.0/TLS 192.168.1.105:52102
Max-Forwards: 70
From: <sip:thomas.poett@acp-test.de>;tag=1216ee8c42;epid=fe5337abb5
To: <sip:thomas.poett@acp-test.de>
Call-ID: c858fcb8e8dd4390b20bd3957050e6d8
CSeq: 1 SERVICE
Contact: <sip:thomas.poett@acp-test.de;opaque=user:epid:qxOEj3bU1VaO18cHg7Lu4wAA;gruu>
User-Agent: UCCAPI/15.0.4517.1004 OC/15.0.4517.1004 (Microsoft Lync)
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="0A6C31A1", targetname="SVIELYNC.acp.local", crand="f0cb3d02", cnum="276", response="1ccdd5bb003db213989aeda53ed2f12c6e7d97ce"
Content-Type: application/msrtc-reporterror+xml
Content-Length: 1177
<reportError xmlns="http://schemas.microsoft.com/2006/09/sip/error-reporting"><error toUri="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:focus:id:TYQF4ZHC" callId="3a63424bce4f4542a1878cf29782fd35" fromTag="6eec3407d5" toTag="23480080" requestType="" contentType="" responseCode="0"><diagHeader>54025;reason="A viewing URL navigation was attempted.";ClientType=Lync;Build=15.0.4517.1004;ContentMCU="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:data-conf:id:TYQF4ZHC";ConferenceUri="sip:thomas.test@testdomain.de;gruu;opaque=app:conf:focus:id:TYQF4ZHC";LocalFqdn="KOL-SRVPOETT.acp.local";Url="https://webapp.testdomain.de/m/ParticipantFrame.aspx?a=0&amp;e=true&amp;WopiSrc=https%3A%2F%2Fmgacsap40.testdomain.intern%2FDataCollabWeb%2Fwopi%2Ffiles%2F5-1-2EB85D8&amp;access_token=AAMFEHCysGizzW9ZqKYwzMlxwFQGEM34svWrZyP-zsPbJWGjNzKBEHCysGizzW9ZqKYwzMlxwFSCAtO2gyAQW9O14tatIkg7-CY3o087igqpE1IlNxyRe8SIPyn0bYYI1bAhMch30AgIDURhdGFDb2xsYWJXZWI&amp;&lt;fs=FULLSCREEN&amp;&gt;&lt;rec=RECORDING&amp;&gt;&lt;thm=THEME_ID&amp;&gt;&lt;ui=UI_LLCC&amp;&gt;&lt;rs=DC_LLCC&amp;&gt;&lt;na=DISABLE_ASYNC&amp;&gt;"</diagHeader><progressReports/></error></reportError>


Troubleshooting:
Attempted Office Web Apps Server discovery Url: https://webapps.extDomain.de/hosting/discovery/
Received error message: The remote certificate is invalid according to the validation procedure.The number of retries: 13327, since 2/27/2013 9:07:42 PM.
or
Lync 2013 PowerPoint sharing issue: “There was a problem verifying the certificate from the server. Please contact your support team.”




CERTUTIL –URLFETCH –VERIFY “OfficeWebApp.cer”
Use this command to verify if the CDP for CRL checkup is correct. This verifies the HTTP connection.

NOTE: IIS Error 500.21

For Windows Server 2008 R2
%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru
iisreset /restart /noforce


For Windows Server 2012
dism /online /enable-feature /featurename:IIS-ASPNET45



9 comments:

  1. Is there any way to monitor WAC to see who is actively using it?

    ReplyDelete
  2. Hi John,
    well monitoring is possible with WAS/ WAC.
    Microsoft automatically provide several performance counter during the server installation.
    You can e.g. monitor them with SC Operation Manager and define the threshold's.

    ReplyDelete
  3. Does the OWA url needs to be published external on TMG for example?
    So do clients communicate with the OWA ?

    ReplyDelete
  4. Hi Rommel,
    if you require external Web Conferencing Content, you must publish WAC/WAS Server.
    This has nothing to Do with Outlook Web App (OWA).
    This are two completely different aspects.

    If you indeed mean, you want WAS enabled in OWA, than this is also valid, you must publish WAS.

    Thomas

    ReplyDelete
  5. Thanks for the write up, Thomas. As far as the certificate is concerned, if using split DNS, can we get away with using one that only has the external name on it? We have an internal domain, which is .local, but after November 2015 certificates can't have the internal FQDN of the server on it. This would be similar to using a UC cert for Exchange that only has the external names for OWA, EWS, etc, and has the internal URLs reconfigured appropriately. I ask because I am integrating with Lync 2013, and I thought I read that you have to have the internal FQDN of the server on it.

    ReplyDelete
    Replies
    1. Well Jason, you can do so. having the external name only. You need to care about the intern/ extern URL settings, similar as exchange.

      Delete
  6. can you not publish the external url both internally and externally but setting an external DNS in AD?

    ReplyDelete
    Replies
    1. Hi Mark,
      this is related to the SSL Secruity checks. if Lync or other Office Server get aware about the internal FQDN, they will us this and check from the client side the Certificate SAN names, if it's matching, it process the request. If you now publish the external URL, also to the internet and the external request is routed to the WAC, the same process applies . So the external clilents are able to process the request due to matching FQDNs.
      If you run an AD related DNS Domain internally, (DNS Split Domain Concept), the same applies too.

      hope this helps
      Thomas

      Delete
  7. Does the OWA url needs to be distributed outer on TMG for instance?
    So do customers correspond with the OWA ?
    Best Web Design

    ReplyDelete