Office Online Server (OOS) – MAHARJAN-BINOD
MAHARJAN-BINOD Enterprise Collaboration & On-Premises Productivity

Office Online Server (OOS)

Office Online Server (OOS) is the on-premises engine that puts Word, Excel, and PowerPoint editing directly inside a web browser — no client install required. It is the component that gives Exchange OWA its document preview, gives SharePoint its co-authoring, and lets Skype for Business render presentations in-meeting. Deployed correctly, OOS makes your private infrastructure feel as fluid as the cloud.

As I plan, deploy, and harden OOS farms across Windows Server 2019/2022/25 environments — integrating them tightly with Exchange 2019 & Subscription Edition (SE), Active Directory Certificate Services, and on-premises SharePoint. Every configuration described here is drawn from real lab and production deployments.

3
Office Apps Supported
HTTPS
Only Supported Protocol
HA
Multi-Node Farm Mode
WAC
Discovery Endpoint

🏗️ OOS Farm Architecture

OOS operates as an independent server farm — separate from your Exchange or SharePoint servers — and exposes a single WOPI (Web Application Open Platform Interface) endpoint that integrated products query for rendering and editing sessions. Below is how a typical enterprise deployment is structured.

OOS Farm Architecture Architecture diagram showing how browsers and clients connect through a load balancer to OOS nodes, which in turn communicate with Exchange 2019, SharePoint, and file storage. Web Browser (Chrome / Edge / Firefox) OWA / ECP (Exchange 2019) SharePoint (On-Premises Farm) CLIENT TIER HTTPS / WOPI Load Balancer NLB / F5 / HAProxy Port 443 (HTTPS) Round-robin routing LOAD BALANCER TIER OOS FARM (New-OfficeWebAppsFarm) OOS Node 1 oos01.domain.local OOS Node 2 oos02.domain.local OOS Node 3 (optional) oos03.domain.local OOS FARM TIER 🔒 SAN SSL Cert (AD CS) WAC Discovery: HTTPS/443 AD CS Internal CA Active Directory DNS + Auth WOPI Callbacks Exchange 2019 OWA Attachments SharePoint Document Libraries File Storage UNC / HTTPS share BACKEND / WOPI HOST TIER LEGEND HTTPS / WOPI request Internal farm / callback traffic Certificate issuance (AD CS) Client / host application Load balancer OOS farm node

Office Online Server farm deployment — from client browser to WOPI host. All traffic traverses HTTPS port 443 with a SAN certificate issued by internal AD CS.

What is WOPI? — Web Application Open Platform Interface (WOPI) is the protocol that OOS uses to communicate with its host applications (Exchange, SharePoint). The host tells OOS where the file lives and grants a temporary access token; OOS fetches the file, renders it, and streams back the result. OOS itself never stores documents — it is a pure rendering and editing engine.

⚙️ How OOS Works — Request Lifecycle

Every document preview or editing session in OWA and SharePoint follows this sequence from browser click to rendered Office frame.

1

Client Request

User opens an attachment in OWA or a document in SharePoint. The host app redirects the browser to the OOS WOPI endpoint.

2

WAC Discovery

Host queries the OOS WAC discovery URL (https://oos.domain/hosting/discovery) to learn which file types OOS can handle.

3

WOPI Token Issued

The WOPI host generates a short-lived access token and passes it to OOS along with the file URL. OOS uses this to fetch the document securely.

4

Render & Stream

OOS fetches, renders, and streams the Office document as HTML5 back to the user’s browser. Edits are saved back via WOPI PutFile calls.

5

Session Ends

On close or timeout the OOS session is released. Changes are committed to the source file on Exchange or SharePoint storage.

🗂️ Core Features & Integrations

📄

Browser-Based Office Editing

Full Word, Excel, and PowerPoint editing in any modern browser — no local Office install needed. Supports co-authoring, tracked changes, and formula editing.

📫

Exchange 2019 + OWA

Unlocks document preview and in-browser editing for email attachments in Outlook on the Web (OWA). The integration is configured via Set-OrganizationConfig pointing to the OOS farm.

📂

SharePoint On-Premises

Powers document preview tiles, in-browser authoring, and co-authoring across SharePoint 2016 and 2019 farms. Binding is done with New-SPWOPIBinding.

🔒

SSL / TLS End-to-End

OOS requires HTTPS exclusively. The farm’s SAN certificate must cover every node hostname and the farm FQDN. Certificates are issued from your internal AD CS hierarchy.

⚖️

High-Availability Farm

Multiple nodes are added with New-OfficeWebAppsMachine -MachineToJoin. A network load balancer distributes sessions — loss of any single node is transparent to users.

📊

Logging & Diagnostics

OOS writes ULS-style logs to %programdata%\Microsoft\OfficeWebApps\Data\Logs\ULS. Use Get-OfficeWebAppsFarm and Get-OfficeWebAppsMachine to inspect farm health.

🖥️ System Requirements

OOS must run on a dedicated server — it cannot be installed on the same machine as Exchange, SharePoint, or an Active Directory Domain Controller.

⚠️ Isolation Requirement: Microsoft explicitly prohibits co-locating OOS with other server products. Always provision a dedicated VM or physical host for your OOS farm nodes.
Component Minimum Recommended (Production) Notes
Operating System Windows Server 2016 (Standard / Datacenter) Windows Server 2019 or 2022 Server Core is not supported
CPU 4 cores 8+ cores OOS is CPU-heavy during document rendering
RAM 8 GB 16–32 GB per node Increases concurrent editing session capacity
Disk 60 GB free (OS + binaries) 100+ GB ULS log rotation must be configured
.NET Framework .NET 4.5.2 .NET 4.8 Must be installed before OOS setup runs
IIS Role IIS 8.5 with required role services IIS 10 (Windows Server 2019+) ASP.NET v4.0, Windows Auth, Static Compression required
SSL Certificate Valid SAN cert (internal CA acceptable) Wildcard or multi-SAN from AD CS Must cover all farm node FQDNs + farm FQDN
Network Port 443 open from all WOPI hosts Dedicated NIC or VLAN for OOS OOS must be reachable from Exchange and SharePoint

🪪 Licensing Requirements

Usage Mode License Required Features Enabled Status
View-Only No additional OOS license Read Office documents in the browser. No editing, no saving. Free
Editing Enabled Microsoft Office Volume License (SA or equivalent) Full browser-based create, edit, and save for Word, Excel, PowerPoint. License Required
Enabling Editing Existing Volume License with Software Assurance Unlocked via Set-OfficeWebAppsFarm -EditingEnabled:$true PowerShell
Verify your license before enabling editing. Running OOS in editing mode without the appropriate Volume License entitlement is a compliance violation. Check with your Microsoft licensing contact or review your EA/MPSA agreement before enabling.

🚀 Deployment & Configuration Strategy

📋 Pre-Deployment Checklist

  • Dedicated VM with Windows Server 2019 / 2022
  • Domain-joined with appropriate DNS records (A + PTR)
  • .NET Framework 4.8 installed
  • IIS with all required role services (use Install-WindowsFeature)
  • SAN SSL certificate issued and bound in IIS
  • Port 443 open from Exchange and SharePoint servers
  • WAC discovery URL reachable from client browsers

🔧 Key PowerShell Commands

  • New-OfficeWebAppsFarm — create the first farm node
  • New-OfficeWebAppsMachine -MachineToJoin — add a node to an existing farm
  • Get-OfficeWebAppsFarm — inspect current farm configuration
  • Set-OfficeWebAppsFarm -EditingEnabled:$true — enable editing mode
  • Set-OrganizationConfig -WACDiscoveryEndpoint — bind OOS to Exchange
  • New-SPWOPIBinding — bind OOS to SharePoint
Deployment Component Configuration Purpose
Multi-Node Farm 2–4 load-balanced OOS nodes Ensures HA — a node failure does not interrupt active sessions on surviving nodes.
SSL / HTTPS Binding SAN cert covering all node FQDNs + farm FQDN, bound in IIS on port 443 Required by OOS — HTTP farms are not supported in production.
Internal Certificate Authority AD CS with Enterprise Root CA, certificate auto-enrollment via GPO Ensures Exchange, SharePoint, and OWA clients trust the OOS TLS certificate.
Log Management ULS log rotation, Windows Event Log monitoring Prevents disk exhaustion on OOS nodes; enables fast troubleshooting of session errors.
Windows Firewall Inbound TCP 443 from Exchange, SharePoint, and client subnets Restricts OOS access surface while allowing all required WOPI communication.

🩺 Common Issues & Resolutions

Error / Symptom Root Cause Fix
OOS setup fails — IIS role error Missing IIS role services (ASP.NET 4.0, Windows Auth, Static Compression) Run the prerequisite Install-WindowsFeature script before OOS installer
OWA “Refused to Connect” on document preview OOS farm endpoint not registered in Exchange, or SSL cert not trusted by Exchange Verify Set-OrganizationConfig -WACDiscoveryEndpoint and import OOS cert to Exchange trust store
“Session ID Error” in OOS TLS mismatch — Exchange and OOS not agreeing on cipher suite or cert trust Check TLS 1.2 enabled on both servers, root CA in correct trust store
“No license to edit” (PowerPoint / Word / Excel) Editing not enabled on the farm, or Volume License not configured Run Set-OfficeWebAppsFarm -EditingEnabled:$true after verifying license entitlement
OWA “Attachment still being edited” Stale session lock on the OOS document session, file still checked out Clear stale session via OWA admin, or recycle OOS app pool to release locks

📖 Implementation & Blog Series

Step-by-step walkthroughs from real OOS deployments — covering installation, SSL hardening, and the most common errors encountered in Exchange + OOS integration.

Need OOS deployed or troubleshot?

I handle on-premises OOS deployments, Exchange integration, SSL configuration, and farm hardening for enterprise environments.

Get in touch →