I am writing this post to share few best practice points that needs to consider while Integrating Office Online Server with SharePoint 2016 Farm. These point are more important in case SharePoint/ OSS servers are in the DMZ layer (external facing secure servers).
In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network such as the Internet
In such setup there are n/s firewall rules that restrict application URLs and servers accessibility. As except certain windows required ports all other ports are restricted.
Pointer to consider while setting up OOS
- Port 443 open from SharePoint server to OOS server and vice-versa
- Port 809 open from SharePoint servers to OOS servers bi-directional
- All application URLs/ OOS URLs accessible from Servers (Both SharePoint & OOS)
- Telnet from SharePoint/ OOS servers for SharePoint Internal URLs (default zone URLs)for port 443
- Telnet from SharePoint servers to OOS Internal URL for port 443, 809
- Telnet from OOS server to OOS URL for port 443, 809
- Certificate deployment in OOS Server (Friendly name required in case of wild card certificate
- Certificate Deployment in SharePoint Servers
- Certificate deployed on SharePoint central admin Trust store
- Enable TLS 1.2 on SP/ OOS server https://docs.microsoft.com/en-us/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server
- Check the WMI Performance Adapter service in OOS Server
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
OOS Configuration
Below Power Shell commands used for integrating OOS with SharePoint over HTTPS. Considering SharePoint
URL and OOS URLs are external facing.
SharePoint Web Application URL
https://sp.abc.fqdn.com à External URL – Extended Zone
https://sp-int.abc.fqdn.com à Internal URL à Default Zone
OOS URLs/ Servers
Internal URL: https://office-int.abc.fqdn.com
External URL: https://office.abc.fqdn.com
Certificate: office.abc.fqdn.com
Certificate Friendly Name: OOSABC
External URL: https://office.abc.fqdn.com
Certificate: office.abc.fqdn.com
Certificate Friendly Name: OOSABC
Primary Server: SERVER1.FQDN.COM
Secondary Server: SERVER2.FQDN.COM
Execute
following command on OOS Primary Server
New-OfficeWebAppsFarm -InternalUrl "https://office-int.abc.fqdn.com"
-ExternalURL "https://office.abc.fqdn.com" -CertificateName "OOSABC"
-EditingEnabled
New-OfficeWebAppsHost -Domain "fqdn.com"
New-OfficeWebAppsHost -Domain "fqdn.com"
#This
command run on the child server and master server FQDN name needs to provide
New-OfficeWebAppsMachine –MachineToJoin "SERVER1.FQDN.COM"
#Set-OfficeWebAppsFarm -AllowHttp:$false
#Set-OfficeWebAppsFarm -SSLOffloaded:$false
This is required
to open the documents hosted in OOS server for testing ONLY
Set-OfficeWebAppsFarm -OpenFromUrlEnabled:$true
Share document (excel/word) in OSS server and access using following URL
https:// https://office-int.abc.fqdn.com/op/generate.aspx à Testing Only
Share document (excel/word) in OSS server and access using following URL
https:// https://office-int.abc.fqdn.com/op/generate.aspx à Testing Only
Validate
the hosting URLs
Execute
following commands on SharePoint Central Admin server
New-SPWOPIBinding -ServerName "https://office-int.abc.fqdn.com"
Get-SPWOPIZone
Set-SPWOPIZone -zone "External-HTTPS"
Remove
the OOS Farm Integration
Execute
following command on sharepoint server
Remove-SPWOPIBinding –All:$true
Execute
following command on OSS server (Child server then master server)
Remove-officewebappmachine
No comments:
Post a Comment