Issue with Office Web Apps Server 2013 Published Externally Using TMG 2010

I was helping a customer setup Lync Server 2013 when we ran into an interesting issue while testing conferencing with external Lync 2013 clients.  Every time we attempted to present a PowerPoint presentation, the presentation would never display.  From the screenshot below, you can see that the file is and was uploaded to the Lync Server 2013 Front End Server successfully:

In Lync Server 2013, once the PowerPoint presentation is successfully uploaded to the Lync Server 2013 Front End Server, a URL is passed back to all of the clients in order for them to download the PowerPoint presentation.  This URL points the clients to the Office Web Apps Server 2013.  The Lync 2013 client then makes a connection to the Office Web Apps Server 2013 to view the PowerPoint presentation.  However, as you can see in the screenshots below, the presentation is never loaded:

Eventually it would error out with:

Either the network connection has been lost or the server is busy. Please check your network connection.

In order to troubleshoot what was happening we needed to be able to see the HTTPS traffic that the Lync 2013 client was sending/receiving.  The easiest way to do that is to use a program called Fiddler.  It allows you to decrypt and view the HTTPS traffic that is being sent by the Lync 2013 client.  In the screenshot below, you can see that when the Lync 2013 client attempts to connect to the Office Web Apps Server 2013, an error result is being returned:


Note: You may need to click on the image above in order to read the text.

If you look at the raw information being returned, you can see the following error information:

HTTP/1.1 500 ( The request was rejected by the HTTP filter. Contact the server administrator. )

This means that the request to download the PowerPoint content is being blocked somewhere.  Since the client we took the tracing on is external, the first place to look is on the Reverse Proxy.  In this case, the Reverse Proxy is Threat Management Gateway (TMG) 2010.  Looking at the logging on the TMG server, you can see that in fact, TMG is rejecting the traffic:


Note: You may need to click on the image above in order to read the text.

If you search for the error that is being returned, you will find reference to KB837865.  The workaround in the KB makes reference to editing the Web Publishing Rule that was created for Office Web Apps Server 2013.  If you go into the Firewall Policy in the TMG Management Console:

Right click on the Web Publishing Rule created for Office Web Apps Server 2013 and click on Properties:

Then click on the Traffic tab:

Then click on Filtering > Configure HTTP:

On the General tab, under URL Protection are the settings we're looking for.  KB837865 says to uncheck Block high bit characters, however for the issue we're seeing, the resolution is to uncheck Verify normalization:

Once we applied the changes to TMG, we tested again, and this time as you can see in the screenshot below, the Lync 2013 client was able to successfully connect to the Office Web Apps Server 2013:


Note: You may need to click on the image above in order to read the text.

From the Lync 2013 client, the PowerPoint presentation was loaded successfully:

Comments

  • Anonymous
    November 11, 2013
    I see this a lot on OWA/TMG deployments. The specific HTTP setting is also covered in TechNet article "Publishing Office Web Apps Server Using a Reverse Proxy Server"  (technet.microsoft.com/.../jj204665.aspx)

  • Anonymous
    November 12, 2013
    Thanks it help me to solve the webapps publish!!!!

  • Anonymous
    December 14, 2013
    Farm Information: Web Application published internally and externally (so make sure both URLs added

  • Anonymous
    January 07, 2014
    Pingback from Office Web App 2013 | Rajisubramanian's Blog

  • Anonymous
    January 08, 2014
    Pingback from Office Web App 2013 | Rajisubramanian's Blog