The Syncplicity On-Premises WOPI Connector is server software that runs as a virtual machine. It connects the Syncplicity orchestration layer in the cloud and Microsoft Office cloud application services to your storage endpoint using the Web Application Open Platform Interface Protocol (WOPI). You should review About Syncplicity StorageVaults and private storage before reading further.
The storage endpoint should already be configured with at least two Syncplicity Storage Connectors. If you have not configured your storage for this, see Hybrid Cloud Storage and Deploy the Syncplicity On-Premise Storage Connector to setup your storage endpoint for Syncplicity.
The following topics describe the prerequisites for installing the on-premises WOPI Connector.
Hardware requirements
The WOPI Connector requires:
- A minimum of two virtual machines hosted on VMware vSphere Hypervisor (ESXi) 6.0, 6.5, 6.7 or later.
- Each virtual machine must be configured with 8 gigabytes of random access memory, 8 virtual cores and a hard disk drive (HDD) of at least 50 GB.
See the next topic about network configuration for the network hardware requirements, which includes an externally-addressable SSL-offloading load balancer, two or more Storage Connectors, and a storage backend that supports a standard NFS v3 or v4, or s3 interfaces.
Software requirements
The following requirements should be met:
- Microsoft Office 365 subscription is needed for users of the Viewing and Editing in Microsoft Office Online feature. For details, see Microsoft Office Online Integration.
-
Each Syncplicity client or app that is to connect to the WOPI Connector must meet the minimum version requirements listed in the table below.
Syncplicity client or app Minimum version iOS 4.4.0 Android 4.5.0
Network configuration
The WOPI Connector is supplied as an OVA file and installed on a virtual machine. The WOPI Connector requires the following:
- Each WOPI Connector requires a dedicated virtual machine hosted on VMware vSphere Hypervisor.
- At least two WOPI Connectors, but you can deploy more for scalability and high-availability.
- Deployment of an externally addressable SSL-offloading load balancer in front of all virtual machines, configured with a certificate authority (CA) signed SSL certificate. Do not use a self-signed certificate.
- Ensure that TLS1.2 is used (by disabling TLS1.0 and TLS1.1), and that SSLv3 is disabled (SSLv3 is disabled by default from the JDK).
As shown in the diagram, a typical example is with the storage layer in the private area of the corporate network. The Storage Connector and WOPI Connector virtual machines are in the semi-private area. The SSL-offloading load balancer is in the DMZ.
Open port requirements
The WOPI Connector requires specific inbound and outbound ports to be open.
Inbound port requirements
To enable the Syncplicity clients to connect to the WOPI Connector from the Internet, the following inbound ports must be open.
Connection | Port |
Protocol |
From the Internet to the SSL-offloading load balancer in the DMZ. |
443 |
HTTPS |
From the SSL-offloading load balancer to the WOPI Connector virtual machines |
9000 |
HTTP |
Atmos storage requirements
To enable the WOPI Connector to connect to an EMC Atmos storage backend, the following inbound ports must be open.
Connection |
Port |
Protocol |
From the WOPI Connector to the Atmos load balancer |
443 if SSL is used with Atmos |
HTTP or HTTPS |
From the WOPI Connector in the DMZ to the Network Time Protocol (NTP) server |
123 |
UDP |
EMC ECS storage requirements
To enable the WOPI Connector to connect to an ECS storage backend, the following inbound ports must be open.
Connection |
Port |
Protocol |
From the WOPI Connector to the ECS load balancer |
9021 if SSL is used to ECS |
HTTP or HTTPS |
From the WOPI Connector in the DMZ to the NTP server |
123 |
UDP |
NFS v3 or v4-based storage
To enable connections from the WOPI Connector virtual machines to the NFS storage backend, the following inbound ports must be open. This includes EMC Isilon storage.
Port |
Protocol |
Type of Traffic |
53 |
TCP |
DNS for SmartConnect (Isilon only) |
111 |
TCP |
SUN Remote Procedure Call |
111 |
UDP |
SUN Remote Procedure Call |
300 |
TCP |
NFS mount daemon |
300 |
UDP |
NFS mount daemon |
302 |
TCP |
NFS stat daemon |
302 |
UDP |
NFS stat daemon |
304 |
TCP |
NFS lock daemon |
304 |
UDP |
NFS lock daemon |
2049 |
TCP |
NFS server daemon |
2049 |
UDP |
NFS server daemon |
Outbound port requirements
In general, traffic outbound to external hosts on port 443 should be allowed. If for some reason this is not so, at least the following should be allowed.
Connection |
Port |
Protocol |
From the WOPI Connector virtual machines to xml.syncplicity.com, xml.eu.syncplicity.com, api.syncplicity.com, api.eu.syncplicity.com, health.syncplicity.com, health.eu.syncplicity.com, and bootstrapper.wopi.syncplicity.com Important: You also need to ensure that onenote.officeapps.live.com is allowed. This is the Microsoft endpoint that the WOPI connector must communicate with. |
443 |
HTTPS |
From the WOPI Connector virtual machines to centos.org, fedoraproject.org Note: Only required during the upgrade procedure or installation of separate packages to allow for RPM dependency checking. |
80 |
HTTP |
Configuring Isilon storage
If you are not using Isilon storage, skip this section.
Isilon storage requires the following additional configuration steps.
- Create a directory on EMC Isilon cluster where you want to store the Syncplicity data. This should be done via an ssh session to the Isilon cluster.
Example:/ifs/syncp-data
- Configure the permissions on the directory via an ssh session to the Isilon cluster.
sudo chown syncp-wopi:syncp-wopi /ifs/syncp-data
sudo chmod 770 /ifs/syncp-data
These commands lock down security access, specifically for the "syncp" user. - Create an NFS Export via the WebUI.
The following screen shows the basic export settings that lock the export down to only the connected Storage Connectors and WOPI Connectors. Add the IP addresses of the WOPI Connectors in the appropriate fields. The values 10.111.158.3 and 10.111.158.4 are example IP addresses of the Storage Connectors. Your IP addresses will be different.
All other export settings should be left as the defaults and not change. - If the WOPI Connector is in the DMZ (Internet side of the firewall) and Isilon storage is inside of the firewall, you need to verify specific ports are opened on the firewall to allow access via NFS from the WOPI Connectors to the Isilon storage. This does not apply if the Isilon storage is not behind a firewall.
- See Installing WOPI Connector to check the NFS mount to the Isilon storage.
This completes the basic configuration of the EMC Isilon storage for the Syncplicity on-premises WOPI Connector.
Current limitations
Customers deploying WOPI Connector in their on-premises datacenter who also are using the StorageVault Authentication (SVA) feature will only be able to view and edit Microsoft documents in Office Online from the Online File Browser. The MS Places integration on mobile does not support SVA. This limitation only applies to SVA-enabled StorageVaults. Customers who are not using SVA can access Syncplicity folders and files from MS Places on mobile.