The answer is yes if the users will access SharePoint with OWA from Internet. This may be a little surprising from network security point of view. What’s more, by viewing the diagram below on TechNet, it seems you need an internet-facing IP only if there are file hosts ( e.g. Exchange server) that uses the OWA server from the internet.
Therefore, it seems that if all your server setups are in your internal network (including the Office Web Apps Server farm, SharePoint, Exchange, Lync etc.), you don’t need to purchase an IP for the Office Web Server farm.
However, if you have users accessing SharePoint from the internet and would like to use Office Web App server, it does not work if a user’s browser could not call the Office Web Apps Server farm directly from the internet. That’s is why you need a public facing IP. This is how OWA Server works. To find out why, let’s look at how OWA works under the hood.
The key part of the integration is that Office Web Apps use the WOPI API to communicate with SharePoint 2013. So in order to understand why public (Internet-facing) IP is needed, we need to look at how WOPI API works.
First things first, let’s review a few definitions to avoid possible confusion.
- WOPI host – As defined in this blog, a WOPI host is document storage location that can connect to Office Web Apps Server to open Office documents in the browser. In this case, it’s SharePoint.
- WOPI Client – A WOPI client is an application that uses the WOPI API to perform actions (such as view and edit) on the files stored in the WOPI host. In our case, it’s the Office Web Apps.
Nick Simons had an awesome blog post introducing how Office Web Apps works. I am borrowing a diagram he used here:
Here is what happens when a user request viewing a file in SharePoint using Office Web Apps Server:
- Users issue a request to SharePoint to view the document.
- SharePoint navigates the user to a page that contains a WOPI frame that knows how to talk to Office Web Apps.
- The WOPI frame contains an iframe that navigates the user to a page in the Office Web Apps Server which shows the content rendered from SharePoint.
- User browser sends the WOPI source (including the name and the URL of the file that the user requested to view), and the access token (a string that represents the user’s credential for the Office Web Apps to use to request the file from SharePoint).
- Office Web Apps Server uses the WOPI Source and the Access Token to get the file from SharePoint.
- The Office Web Apps server displays the file in the iframe on WOPIFrame.
We could see that the WOPI source and the access token are sent from the browser directly. Since all the content are shown from a page within SharePoint that contains the WOPI frame and the iframe, even users see that the URL in the browser is still in SharePoint, the browser is already communicating directly with the Office Web Apps server under the hood.
The MSDN documentation of the WOPI API confirms this:
Therefore, when preparing the for the Office Web Apps server setup in your organization, you will need a public facing IP for the Office Web Apps Server farm.