Limit access to Office Web Apps Server (OWAS)

By | July 15, 2013

When deploying an Office Web Apps Server (WAC/OWAS) the default allow list contains no domains, meaning OWAS will allow file requests to hosts in any domain.

OWAS_domain_unlocked

This could allow unauthorized use of your server/farm if the Office Web Apps Server is accessible from the Internet (deployed in DMZ or Reverse Proxy to Internal). An external party could define the Office Web Apps Server pointing to your OWAS URL and start using your server for their workloads.
OWAS_External_server

OWAS_Topology_External_server

To lock down Office Web Apps Server, use the “new-officewebappshost” Cmdlet ( http://technet.microsoft.com/en-us/library/jj219459.aspx ) and set the domain parameter.

OWAS_domain_locked

Any external party trying to leverage your Office Web Apps Server will get a server connectivity issue error.
Blocked

4 thoughts on “Limit access to Office Web Apps Server (OWAS)

  1. Pingback: Limit access to Office Web Apps Server (OWAS) | D(one) IT | JC's Blog-O-Gibberish

    1. MLamontagne

      In my testing, federated contacts (Lync or Lync Web App) and guests (Lync Web App) are able to present and view content via a restricted OWAS. The Lync Front End is involved during the upload/removal of content, this is where the allow list is is being checked. If a third party tried pointing their Lync topology, Sharepoint or Exchange to this OWAS url it wouldn’t match the allow list and would be blocked.

      Reply
  2. Pingback: The UC Architects » Episode 32: Special Guest Jamie Stark of Microsoft

Leave a Comment