D(one) IT

IT Tips, Tricks & Such

Limit access to Office Web Apps Server (OWAS)

When deploying an Office Web Apps Server (WAC/OWAS) the default allow list contains no domains, meaning OWAS will allow file requests to hosts in any domain.

OWAS_domain_unlocked

This could allow unauthorized use of your server/farm if the Office Web Apps Server is accessible from the Internet (deployed in DMZ or Reverse Proxy to Internal). An external party could define the Office Web Apps Server pointing to your OWAS URL and start using your server for their workloads.
OWAS_External_server

OWAS_Topology_External_server

To lock down Office Web Apps Server, use the “new-officewebappshost” Cmdlet (http://technet.microsoft.com/en-us/library/jj219459.aspx) and set the domain parameter.

OWAS_domain_locked

Any external party trying to leverage your Office Web Apps Server will get a server connectivity issue error.
Blocked

Advertisements

4 responses to “Limit access to Office Web Apps Server (OWAS)

  1. Pingback: Limit access to Office Web Apps Server (OWAS) | D(one) IT | JC's Blog-O-Gibberish

  2. Pat Richard (@patrichard) December 25, 2013 at 8:00 am

    Does this then also restrict federated contacts who are attending a meeting you’re hosting from being able to present content via OWAS?

    • MLamontagne December 25, 2013 at 1:45 pm

      In my testing, federated contacts (Lync or Lync Web App) and guests (Lync Web App) are able to present and view content via a restricted OWAS. The Lync Front End is involved during the upload/removal of content, this is where the allow list is is being checked. If a third party tried pointing their Lync topology, Sharepoint or Exchange to this OWAS url it wouldn’t match the allow list and would be blocked.

  3. Pingback: The UC Architects » Episode 32: Special Guest Jamie Stark of Microsoft

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: