cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

Daniel Westerdale
Iron Contributor

‎Feb 21 2018 01:47 AM - edited ‎Feb 21 2018 02:27 AM

‎Feb 21 2018 01:47 AM - edited ‎Feb 21 2018 02:27 AM

Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

Hi

 

I have inherited and existing on-premises farm infrastructure that consists of a pair of load balanced SharePoint 2016 WFEs with each having a single Office Online Server (OOS) instance.  The Office Online Servers are currently not load balanced which I think is starting to bite me!

 

Yesterday, I successfully deployed and configured each OOS instance  and created a WOPI binding to the WFE hosted locally, as per single instance configuration documented in  Deploy Office Online Server.  To test out HTTPS, I created  self-cert on each OOS instance which I exported to the relevant WFE.  Finally, I RDPed onto each WFE and  happily rendered an office document.

 

However, when I repeat the same test on my client PC of course the WOPI binding per each server is of course blocked as each WFE as these are not on the same subnet as the client pc :( .

 

 I need to reconfigure the OOS farm and, or change the WOPI bindings. I suspect I will need to create the OOS farm with a load balancer. Note, we don't really need HA in the case OOS as this will have a light workload and also there are no plans to open up SharePoint on-premises to external users.

 

Any advice is very welcome.

 

6,193 Views
0 Likes
8 Replies
Reply
8 Replies
Trevor Seward

‎Feb 21 2018 09:17 AM

‎Feb 21 2018 09:17 AM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

Each client must be able to access OOS directly via HTTP or HTTPS (I highly recommend using SSL end-to-end with OAuth tokens); each SharePoint server also must be able to access OOS as the binding is farm-wide, not for a particular SharePoint server in the farm. This also means you should put in a trusted certificate, either issued from a public CA or an internal CA that your client PCs trust.
0 Likes
Reply
Daniel Westerdale

‎Feb 21 2018 11:15 AM - edited ‎Feb 21 2018 11:19 AM

‎Feb 21 2018 11:15 AM - edited ‎Feb 21 2018 11:19 AM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

Hi @Trevor Seward

 

 

Thanks,  I rechecked my config this morning and discovered a couple of things

 

  1. The external url  I had configured when I created the farm was incorrect as there wasn't a DNS entry for each OOS. Not an issue as not allowing external access.
  2. The main show showstopper is exactly as you have stated no clients  can access OOS on port 443. Looks like we missed the firewall rules for OOS when as part of a previous installation. 

If I put in a RFC in tomorrow,  then a part from ports: 80 and 443 , are there other ports OOS needs to communicate with clients that you can think of?

 

We do have the option for internal CA but I have testing with self-certs, which I export as ".cer" and import into the  Trusted Hosts on each of WFEs.  I assume this is ok.   

Looking at DNS with entries per OOS verses Load balancer  -  going to test with the single instances ( each bound to a single WFE) when the rules are in place and give the business the option.

0 Likes
Reply
Trevor Seward

‎Feb 21 2018 11:31 AM

‎Feb 21 2018 11:31 AM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

Only expose tcp/443. For the certs, your client also needs to trust the cert itself. This means you'd need to import the self-signed cert to each client. I'm not sure what you mean 'bound to each FE'. You can only have a single OOS farm (be it one or more servers) per SharePoint farm.
0 Likes
Reply
Daniel Westerdale

‎Feb 21 2018 12:04 PM

‎Feb 21 2018 12:04 PM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

OK, lets clarify things from my perspective .  The client is any intranet user  who needs to render an office document that is hosted on premises - they don't need a cert import as far as know . I  have only exported the cert created on a OOS instance onto the WFE in the same data centre . Repeat this config per data centre.

 

When I refer to the OOS farm , I mean going on to each OOS instance and running

New-OfficeWebAppsFarm -InternalUrl "https://oosa.contoso.com" -ExternalUrl "https://oosa.constso.com" -CertificateName "OfficeWebApps Certificate" -EditingEnabled

Then repeating for the other OOS instance (oosb.contoso.com) .  I don't think it is possible to configure a multi-server OOS farm as there is currently no LB IP address available.

0 Likes
Reply
Trevor Seward

‎Feb 21 2018 12:11 PM

‎Feb 21 2018 12:11 PM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

You can configure a multi-OOS farm without a load balancer, but yeah traffic will only be directed at a single host so the utility isn't there (I'd argue just get a free LB, like HAProxy). On the other hand, why build multiple OOS farms? Just share a single farm among multiple SharePoint farms/Exchange/SfB deployments.
0 Likes
Reply
Daniel Westerdale

‎Feb 21 2018 12:21 PM - edited ‎Feb 21 2018 12:24 PM

‎Feb 21 2018 12:21 PM - edited ‎Feb 21 2018 12:24 PM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

I think you are right. I did the single host config just to get a demo working.   However, with a bit more effort, I could configure one of the LBs  and create a multi-sever OOS farm, to be shared across SFB, Exchange and the other SharePoint farms  ( sp2016 dev , SP2013).  Thanks, I will mention this to the team tomorrow.  

0 Likes
Reply
Trevor Seward

‎Feb 21 2018 12:23 PM

‎Feb 21 2018 12:23 PM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

If you go multiple server, you will want to have a trusted cert (internal or public). You need to have a subject name of the FQDN of the deployment (e.g. office.example.com) with multiple SANs. The first will match the subject name, the subsequent will be the FQDN of the Office Online Servers within your deployment (e.g. oos01.corp.example.com, oos02.corp.example.com, etc).
0 Likes
Reply
Daniel Westerdale

‎Feb 21 2018 12:27 PM

‎Feb 21 2018 12:27 PM

Re: Setting up WOPI Binding to Office Online Server Multi-server (not load balanced)

@Trevor Seward wrote:
If you go multiple server, you will want to have a trusted cert (internal or public). You need to have a subject name of the FQDN of the deployment (e.g. office.example.com) with multiple SANs. The first will match the subject name, the subsequent will be the FQDN of the Office Online Servers within your deployment (e.g. oos01.corp.example.com, oos02.corp.example.com, etc).

I understand ... let's hope the business agrees to this I think this the way  we should go . Thanks for your help. 

0 Likes
Reply