Forum Discussion
Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)
Hi
I have inherited and existing on-premises farm infrastructure that consists of a pair of load balanced SharePoint 2016 WFEs with each having a single Office Online Server (OOS) instance. The Office Online Servers are currently not load balanced which I think is starting to bite me!
Yesterday, I successfully deployed and configured each OOS instance and created a WOPI binding to the WFE hosted locally, as per single instance configuration documented in Deploy Office Online Server. To test out HTTPS, I created self-cert on each OOS instance which I exported to the relevant WFE. Finally, I RDPed onto each WFE and happily rendered an office document.
However, when I repeat the same test on my client PC of course the WOPI binding per each server is of course blocked as each WFE as these are not on the same subnet as the client pc :-( .
I need to reconfigure the OOS farm and, or change the WOPI bindings. I suspect I will need to create the OOS farm with a load balancer. Note, we don't really need HA in the case OOS as this will have a light workload and also there are no plans to open up SharePoint on-premises to external users.
Any advice is very welcome.
8 Replies
- Each client must be able to access OOS directly via HTTP or HTTPS (I highly recommend using SSL end-to-end with OAuth tokens); each SharePoint server also must be able to access OOS as the binding is farm-wide, not for a particular SharePoint server in the farm. This also means you should put in a trusted certificate, either issued from a public CA or an internal CA that your client PCs trust.
Thanks, I rechecked my config this morning and discovered a couple of things
- The external url I had configured when I created the farm was incorrect as there wasn't a DNS entry for each OOS. Not an issue as not allowing external access.
- The main show showstopper is exactly as you have stated no clients can access OOS on port 443. Looks like we missed the firewall rules for OOS when as part of a previous installation.
If I put in a RFC in tomorrow, then a part from ports: 80 and 443 , are there other ports OOS needs to communicate with clients that you can think of?
We do have the option for internal CA but I have testing with self-certs, which I export as ".cer" and import into the Trusted Hosts on each of WFEs. I assume this is ok.
Looking at DNS with entries per OOS verses Load balancer - going to test with the single instances ( each bound to a single WFE) when the rules are in place and give the business the option.
- Only expose tcp/443. For the certs, your client also needs to trust the cert itself. This means you'd need to import the self-signed cert to each client. I'm not sure what you mean 'bound to each FE'. You can only have a single OOS farm (be it one or more servers) per SharePoint farm.
