Enable Office Web Apps working in both Internal and External environment

In category SharePoint | August 3, 2013

SharePoint folks did complain the poor performance of their SharePoint machines in the past at the time when Office Web Apps was tightly integrated in SharePoint Server 2010. Office Web Apps services must be started in every SharePoint machine for end-user to be able to view and edit supported Microsoft Office products (Word, Excel, PowerPoint, OneNote) directly on their browser.

Thankfully with the new release of Microsoft Office system, Office Web Apps is no longer integrated in SharePoint 2010. It’s now a separate commercial product and can’t be installed in any server where SharePoint Server 2013 instance is installed. This significant change allows you to only have a server that is able to function to any SharePoint farm that connects to the OWA server. This improves performance a lot. The burden to your organization is that you have to prepare either a dedicated machine for OWA or install it on a non-SharePoint machine and purchase its license. This surely costs pretty much money for both hardware and licensing. I’m not going to go around the pros and cons of OWA Server 2013 in this article. To see more about the enhancement and new changes, read here.

One of the very common questions I’ve seen in the MSDN forum is the setup of OWA working in both internal and external environment. This thread has inspired me to write my note in this article to answer to the question. Below is the word-for-word question:

“I have successfully installed SharePoint 2013 and Office Web Apps on Azure VMs inside an Azure Virtual Network (IaaS model). Everything is working well. However, my testing has shown that external users and internal users can’t use Office Web Apps at the same time.

Office Web Apps, installed on its own vm, accommodates an external and internal URL quite well. However, SharePoint 2013 appears to only allow one setting for WOPI Zone, either internal or external but not both. I’ve set the WOPI zone to Internal-HTTPs (Set-SPWOPIZone –Zone “internal-https”). OWA works just fine if accessed from inside the Azure Virtual Network. However, if I try to access from outside the Virtual Network, from the Internet, Office Web Apps fails. The exact opposite is also true. I can set WOPI Zone to External-HTTPS and accessing from the Internet works fine, but accessing inside the Virtual Network fails.”

In this case, let’s say you have completely deployed and configured OWA in your internal environment. End-users from local network have access to SharePoint through the internal URL e.g. http://sharepoint/ and are able to view and edit shared documents directly in Internet Explorer.  However if end-users access SharePoint from Internet using the Internet-published domain e.g. http://sharepoint.abc.com, OWA doesn’t work because it from Internet routes to the internal URL you have set (e.g. http://owa). This happens many times when you don’t setup WOPI zone correctly. In my environment, there are two machines: app03 and app04. The app03 machine has SharePoint Server 2013 installed and the app04 machine is running Office Web Apps Server 2013 instance. These have already been joined to the domain controller with the name availys.lab. Note that all of these machines are hosted in my development/testing environment. Your environment may be different from mine. The SharePoint farm is virtualized inside Hyper-V and each machines has been assigned an internet-public IP.

On the SharePoint machine, if you haven’t configured Alternate Access Mapping setting yet, open it in your Central Administration site. (Application Management > Configure alternate access mappings).  In my case, the name of the web application I’ve created is http://app03. Now I need to edit its public URL to make it accessible from the Internet using my public URL http://ecodemo.availys.com. To tell you my guidance is actually correct, I have to be using the real domain name and the current configuration of the SharePoint farm in this article.

On the Alternate Access Mappings page, click Edit Public URLs then select web application at Alternate Access Mapping Collection setting. Under the Internet setting, enter your public URL. You then don’t necessarily have to edit binding setting in IIS if you aren’t using multiple addresses running in the same port.

After that, check the internal URL from local network while opening the public URL from the Internet. Make sure you have done configuring your Internet domain name to point to the public IP of the SharePoint machine. This can be done via domain control panel and depends on what hosting provider you are using, such as GoDaddy. In my case, I’m able to access http://app03 in local network while obviously being able to access http://ecodemo.availys.com from the Internet as below.

Now open OWA machine to create a new WAC farm.

New-OfficeWebAppsFarm –InternalUrl "http://app04" -ExternalUrl "http://198.xxx.xxx.xxx" -EditingEnabled

Because I’ve not configured my OWA machine to be published to the Internet so I have to use its Internet-public IP. It’s not a recommended best practice. In your case, the external URL would be http://owa.abc.com. Above I’m not using SSL certificate to encrypt data over the Internet. Just add CertificateName parameter if you want to use whether CA-issued certificate or self-signed certificate. Finally, check both internal URL (http://app03/hosting/discovery) and external URL (http://198.xxx.xxx.xxx/hosting/discovery) to confirm everything is working well. Your screen should display XML structure.

Now you need to re-bind all SharePoint machines to WAC farm using New-SPWOPIBinding (http://technet.microsoft.com/en-us/library/jj219441.aspx). Next, you just need to set the WOPI zone for external use even there is an internal use in your SharePoint environment.

Set-SPWOPIZone –zone “external-http”

Finally, configure Excel service and then upload an Excel workbook into a document library and check it. Below are the screenshots of OWA working on both internal and external environment.

As you see, there is no cheat that we used to use when playing game in childhood. The key thing here to note is that the FQDN of my SharePoint server isn’t published to the Internet because the domain controller and DNS is configured and run locally. Only Internet domain points to the public IP of the SharePoint machine. This would be the flickering light you would need to consider for SharePoint publishing portal. The lesson learnt here is not to use the real name of domain controller if you plan to use it over the Internet. For example, the FQDN domain controller shouldn’t be named abc.com, abc.net…etc. Ideally it should be something like abc.local. Microsoft wrote an article about naming conventions in Active Directory.

If you are using Windows Azure IaaS service to build and host SharePoint virtual machines, there are many required steps before deploying Office Web Apps. First, you need to create a virtual network to make your virtual machines possible to communicate with each other in the local network. Second, create endpoint with TCP protocol in conjunction with port 80 to allow your SharePoint machine to be able to communicate with others over the Internet. Below are some references that could help:

Working with network stuffs in Windows Azure looks like a night mare no ITPros  want to see in their dream.

In real-world scenarios, your environment may have firewall or reverse proxy (Forefront TMG, UAG, F5, Astaro..etc) put at the front-gate. OWA server should be published through firewall for better secure. This is always a good recommendation.

Stay tuned!

Share

19 thoughts on “Enable Office Web Apps working in both Internal and External environment

  1. Hi Thuan,

    Thank you for this useful article.

    I’ve the following question : do you have, as for the “internal-http” configuration, to run these lines ?

    $config = (Get-SPSecurityTokenServiceConfig)
    $config.AllowOAuthOverHttp = $true
    $config.Update()

    Thanks.

  2. Hi Benoit,

    I was only testing so I didn’t configure OWA over OAuth. Didn’t run the script you mention.

    Regards,
    -T.s

  3. tbithell says:

    My internal and external url for my portal is the same. Mostly people will be accessing the portal from outside the network, like 99% of the time once it is launched, but I would like it to work both internally and externally. I don’t see a way to get through that via AAM. Any guidance would be helpful. Thanks!

    1. What are you encountering? What is the URL when you access SharePoint from internal network and external network? Would it be different?

  4. santhiswaroop says:

    Hi Thuan,

    I have same scenario I have a two https site with one wild card certificate. https://portal.prosum.com( windows authentication enabled) and https://external.prosum.com (form authentication enabled)

    can you please tell me what powershell script I need to run in owa

    New-OfficeWebAppsFarm -InternalUrl https://portal.prosum.com -ExternalUrl https://external.prosum.com -EditingEnabled

  5. Hi Santhiswaroop, Did you run Set-SPWOPIZone –zone “external-https”?

  6. Jmetellus says:

    Is it possible to use OWA and Sharepoint beind the same firewall using the same Single public IP address

  7. Eric says:

    Are there any issues with having the internal and external URLs the same for OWA?

    Example the PowerShell command would be:
    New-OfficeWebAppsFarm -InternalUrl “https://office1.contoso.com” -ExternalUrl “https://office1.contoso.com” –EditingEnabled

    1. Hi Eric,

      You could do this by configuring DNS.

      Regards,
      -T.s

  8. Saeed Albarhami says:

    Is it possible to use http & https for internal & external in ordre
    Example:
    New-OfficeWebAppsFarm -InternalUrl “http://..” -ExternalUrl “https://…” –EditingEnabled

  9. Jimmy Stewart says:

    This is a great article however, am still having issues in our environment. We are using FQDN for both SP and OWA names. We are using ADFS as our authentication. We access internal using same URL as external. External uses Web Application Proxy. When access our https://site.domain.com url, we see content, but get a “this page cannot be displayed” error when trying to open a document using OWA. Question, do we need to create a web application proxy for OWA in this scenario? Any guidance would be very helpful.

    1. Jimmy Stewart says:

      I’ve actually resolved my issue. Turns out our SSL cert on the proxy server did not have the exportable key. This was preventing the WAP from working correctly. Once I added the correct SSL cert and re-published the proxy application it started working.

    2. Aissam says:

      Hello,
      I have the same configuration would please tell me the script that I must run on my shp apps server and owa.
      Thanks,

  10. Tuân Nguyễn says:

    Great post!

  11. John Rid says:

    >in both Internal and External environment

    Nope in that way environment working as earlier: in internal or external only. If set “internal-http” both link tried to get http://internal for web apps, if set “external-http” both link get http://external.domain.com for web apps.

  12. Patrik Hugi says:

    thanks for this usefull post.

    Is it possible to use OWA in SharePoint only for external access? I have configured in OWA internal-http and external-http. Now I want, that for external access OWA is used and for internal access Client Application is used.

    I tried with this command: Remove-SPWOPIBinding -Application “Word” -WOPIZone “internal-http”

    but this didn’t changed anything in behavior.

  13. Gurdip says:

    We use host named site collection so I can’t make the public entry of an AAM the root site collection. I’ve set the binding to external-https but still can’t load office web apps from outside the network. Please advise.

  14. Kb Kotresh says:

    HI Tarun,

    In our Production environment , https://.com can be access out side the Lan network as well.
    In this case do i need to configure the Internal url and external url ?

    Let me know your views on this .

Leave a Reply