Office Online Server (OOS)
Office Online Server (OOS) is the on-premises engine that puts Word, Excel, and PowerPoint editing directly inside a web browser — no client install required. It is the component that gives Exchange OWA its document preview, gives SharePoint its co-authoring, and lets Skype for Business render presentations in-meeting. Deployed correctly, OOS makes your private infrastructure feel as fluid as the cloud.
As I plan, deploy, and harden OOS farms across Windows Server 2019/2022/25 environments — integrating them tightly with Exchange 2019 & Subscription Edition (SE), Active Directory Certificate Services, and on-premises SharePoint. Every configuration described here is drawn from real lab and production deployments.
🏗️ OOS Farm Architecture
OOS operates as an independent server farm — separate from your Exchange or SharePoint servers — and exposes a single WOPI (Web Application Open Platform Interface) endpoint that integrated products query for rendering and editing sessions. Below is how a typical enterprise deployment is structured.
Office Online Server farm deployment — from client browser to WOPI host. All traffic traverses HTTPS port 443 with a SAN certificate issued by internal AD CS.
⚙️ How OOS Works — Request Lifecycle
Every document preview or editing session in OWA and SharePoint follows this sequence from browser click to rendered Office frame.
Client Request
User opens an attachment in OWA or a document in SharePoint. The host app redirects the browser to the OOS WOPI endpoint.
WAC Discovery
Host queries the OOS WAC discovery URL (https://oos.domain/hosting/discovery) to learn which file types OOS can handle.
WOPI Token Issued
The WOPI host generates a short-lived access token and passes it to OOS along with the file URL. OOS uses this to fetch the document securely.
Render & Stream
OOS fetches, renders, and streams the Office document as HTML5 back to the user’s browser. Edits are saved back via WOPI PutFile calls.
Session Ends
On close or timeout the OOS session is released. Changes are committed to the source file on Exchange or SharePoint storage.
🗂️ Core Features & Integrations
Browser-Based Office Editing
Full Word, Excel, and PowerPoint editing in any modern browser — no local Office install needed. Supports co-authoring, tracked changes, and formula editing.
Exchange 2019 + OWA
Unlocks document preview and in-browser editing for email attachments in Outlook on the Web (OWA). The integration is configured via Set-OrganizationConfig pointing to the OOS farm.
SharePoint On-Premises
Powers document preview tiles, in-browser authoring, and co-authoring across SharePoint 2016 and 2019 farms. Binding is done with New-SPWOPIBinding.
SSL / TLS End-to-End
OOS requires HTTPS exclusively. The farm’s SAN certificate must cover every node hostname and the farm FQDN. Certificates are issued from your internal AD CS hierarchy.
High-Availability Farm
Multiple nodes are added with New-OfficeWebAppsMachine -MachineToJoin. A network load balancer distributes sessions — loss of any single node is transparent to users.
Logging & Diagnostics
OOS writes ULS-style logs to %programdata%\Microsoft\OfficeWebApps\Data\Logs\ULS. Use Get-OfficeWebAppsFarm and Get-OfficeWebAppsMachine to inspect farm health.
🖥️ System Requirements
OOS must run on a dedicated server — it cannot be installed on the same machine as Exchange, SharePoint, or an Active Directory Domain Controller.
| Component | Minimum | Recommended (Production) | Notes |
|---|---|---|---|
| Operating System | Windows Server 2016 (Standard / Datacenter) | Windows Server 2019 or 2022 | Server Core is not supported |
| CPU | 4 cores | 8+ cores | OOS is CPU-heavy during document rendering |
| RAM | 8 GB | 16–32 GB per node | Increases concurrent editing session capacity |
| Disk | 60 GB free (OS + binaries) | 100+ GB | ULS log rotation must be configured |
| .NET Framework | .NET 4.5.2 | .NET 4.8 | Must be installed before OOS setup runs |
| IIS Role | IIS 8.5 with required role services | IIS 10 (Windows Server 2019+) | ASP.NET v4.0, Windows Auth, Static Compression required |
| SSL Certificate | Valid SAN cert (internal CA acceptable) | Wildcard or multi-SAN from AD CS | Must cover all farm node FQDNs + farm FQDN |
| Network | Port 443 open from all WOPI hosts | Dedicated NIC or VLAN for OOS | OOS must be reachable from Exchange and SharePoint |
🪪 Licensing Requirements
| Usage Mode | License Required | Features Enabled | Status |
|---|---|---|---|
| View-Only | No additional OOS license | Read Office documents in the browser. No editing, no saving. | Free |
| Editing Enabled | Microsoft Office Volume License (SA or equivalent) | Full browser-based create, edit, and save for Word, Excel, PowerPoint. | License Required |
| Enabling Editing | Existing Volume License with Software Assurance | Unlocked via Set-OfficeWebAppsFarm -EditingEnabled:$true |
PowerShell |
🚀 Deployment & Configuration Strategy
📋 Pre-Deployment Checklist
- Dedicated VM with Windows Server 2019 / 2022
- Domain-joined with appropriate DNS records (A + PTR)
- .NET Framework 4.8 installed
- IIS with all required role services (use
Install-WindowsFeature) - SAN SSL certificate issued and bound in IIS
- Port 443 open from Exchange and SharePoint servers
- WAC discovery URL reachable from client browsers
🔧 Key PowerShell Commands
New-OfficeWebAppsFarm— create the first farm nodeNew-OfficeWebAppsMachine -MachineToJoin— add a node to an existing farmGet-OfficeWebAppsFarm— inspect current farm configurationSet-OfficeWebAppsFarm -EditingEnabled:$true— enable editing modeSet-OrganizationConfig -WACDiscoveryEndpoint— bind OOS to ExchangeNew-SPWOPIBinding— bind OOS to SharePoint
| Deployment Component | Configuration | Purpose |
|---|---|---|
| Multi-Node Farm | 2–4 load-balanced OOS nodes | Ensures HA — a node failure does not interrupt active sessions on surviving nodes. |
| SSL / HTTPS Binding | SAN cert covering all node FQDNs + farm FQDN, bound in IIS on port 443 | Required by OOS — HTTP farms are not supported in production. |
| Internal Certificate Authority | AD CS with Enterprise Root CA, certificate auto-enrollment via GPO | Ensures Exchange, SharePoint, and OWA clients trust the OOS TLS certificate. |
| Log Management | ULS log rotation, Windows Event Log monitoring | Prevents disk exhaustion on OOS nodes; enables fast troubleshooting of session errors. |
| Windows Firewall | Inbound TCP 443 from Exchange, SharePoint, and client subnets | Restricts OOS access surface while allowing all required WOPI communication. |
🩺 Common Issues & Resolutions
| Error / Symptom | Root Cause | Fix |
|---|---|---|
| OOS setup fails — IIS role error | Missing IIS role services (ASP.NET 4.0, Windows Auth, Static Compression) | Run the prerequisite Install-WindowsFeature script before OOS installer |
| OWA “Refused to Connect” on document preview | OOS farm endpoint not registered in Exchange, or SSL cert not trusted by Exchange | Verify Set-OrganizationConfig -WACDiscoveryEndpoint and import OOS cert to Exchange trust store |
| “Session ID Error” in OOS | TLS mismatch — Exchange and OOS not agreeing on cipher suite or cert trust | Check TLS 1.2 enabled on both servers, root CA in correct trust store |
| “No license to edit” (PowerPoint / Word / Excel) | Editing not enabled on the farm, or Volume License not configured | Run Set-OfficeWebAppsFarm -EditingEnabled:$true after verifying license entitlement |
| OWA “Attachment still being edited” | Stale session lock on the OOS document session, file still checked out | Clear stale session via OWA admin, or recycle OOS app pool to release locks |
📖 Implementation & Blog Series
Step-by-step walkthroughs from real OOS deployments — covering installation, SSL hardening, and the most common errors encountered in Exchange + OOS integration.
Need OOS deployed or troubleshot?
I handle on-premises OOS deployments, Exchange integration, SSL configuration, and farm hardening for enterprise environments.