Overview: Office web Apps (WCA) 2013 defaults to using https, this is a good position to take but SSL offloading may be needed or you may want to do testing without SSL. In my case we are using KEMP for SSL termination and before the NLB's are in place I made some hard discoveries.
Options:
SSL, WCA wants to use SSL and has some confusing switches, they make sense eventually so to summerise: You have 3 options to install WCA with SP2013:
Basically I have 2 WCA servers that make up my Office web App farm. I want to connect SharePoint 2013 to display/edit document via the web browser and I want the preview cabability that SharePoint search needs. This post explains the situation "Not Using SSL".
In my initial attemp at installing the WCA farm I selected the switch -SSLOffLoading, this makes the WCA farm accept http requests. My issue was that other resources then made http requests that with a load balancer performing SSL termination in place is correct. And here was the problem, when i open a word document it just waits. I opened my IE developer toolbar and noticed the https request. Below is how I rolled out of the issue to allow me to use http throughout (Don't do this in production).
Below is a view of our wildcard
certificate of the SAN field:
Options:
SSL, WCA wants to use SSL and has some confusing switches, they make sense eventually so to summerise: You have 3 options to install WCA with SP2013:
- Not using SSL (not recommened),
- SSL Certificates on the WCA servers
- SSLOffloading (Hardware device such as an F5 or KEMP does the SSL decryption, this saves you distributing certs to the WCA servers but means that the traffic between the NLB and the servers is not encrypted.)
Basically I have 2 WCA servers that make up my Office web App farm. I want to connect SharePoint 2013 to display/edit document via the web browser and I want the preview cabability that SharePoint search needs. This post explains the situation "Not Using SSL".
In my initial attemp at installing the WCA farm I selected the switch -SSLOffLoading, this makes the WCA farm accept http requests. My issue was that other resources then made http requests that with a load balancer performing SSL termination in place is correct. And here was the problem, when i open a word document it just waits. I opened my IE developer toolbar and noticed the https request. Below is how I rolled out of the issue to allow me to use http throughout (Don't do this in production).
Location of the ULS logs on the WCA VM's: C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS
***********************************************************
This part of the post differs in that I explain how to use the "SSLOffloading scenario".
You need a load balancer such as F5 or Kemp with networking configured.
The big differences are:
Ensure the "WopiZone : internal-https"
Tip: Watch the networking.
Tip: You can't use a wild card certificate if you use SSL termination on the load balance (it actually works if you only have 1 WCA VM in your farm).
Scenario: SharePoint 2013 farm (represents any WOPI client/consumer), this can be on http or https. The WCA farm consists of 2 or more WCA dedicated VM's.
The diagram above shows of the clients browser will interact with the WOPI consumer namely SharePoint 2013 and it accesses the SSL based url for the WCA server. So the request would go to https://wca.demo.dev. The load balancer performs SSL termination and load balances to any WCA server on port 80 using session affinity.
Tip: I used a wildcard certificate in UAT that works in a load balanced scenario but rather go for the fully qualified certificate for the WCA https service.
********************
Problem: When I create a WCA farm (1VM) and
connect SharePoint to use the WCA farm, office documents show correctly. However
when I have WCA multiple servers, I get a the error “[ServerError: Verifying
signature failed]. [status:NotFound”. In my VM logs on the Office web app server (WCA ULS).
Initial Hypothesis: The error appears to be an issue
with SSL, while routing around I found the following information on certificates:
http://technet.microsoft.com/en-us/library/jj219435.aspx#certificate
·
The
certificate must come from a trusted Certificate Authority and include the
fully qualified domain name (FQDN) of your Office Web Apps Server farm in the
SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you
try to use the certificate, the browser will either show security warnings or
won’t process the response.)
·
The FQDN in the SAN field can’t begin with an asterisk (*).
What made this issue tough to track is that when I only have 1 WCA server, WCA displays my word document correctly. This document is cached when I add the remaining servers however once the cache clears down I loose WCA functionality.
***********************************************************
Microsoft troubleshooting for WCA
***********************************************************
Tip: A lot of issues around WCA involve networking. It is useful to verify networking on the VM's. I use host entries until I am ready to get the load balancing service working. Note: Ensure communication from WCA back to the SP WFE's.
0 comments:
Post a Comment