Now that we are begrudgingly learning a little about it we have learned that we should disable HTTP on the pools and run with HTTPS only.
So we tried the obvious command to disable HTTP:
Set-OfficeWebAppsFarm -AllowHTTP $False
That gives this wonderful error:
Set-OfficeWebAppsFarm : A positional parameter cannot be found that accepts argument ‘False’.
At line:1 char:1
+ Set-OfficeWebAppsFarm -AllowHTTP $False
+ CategoryInfo : InvalidArgument: (:) [Set-OfficeWebAppsFarm], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Office.Web.Apps.Administration.SetFarmCommand
After asking around, we found that the secret to this command is to use a colon (:) instead of a space ( ) between the parameter and the value. As such, this is the proper syntax:
Note that if you have the SSLOffloaded parameter set to True that you cannot disable AllowHTTP. If you try, you get this error:
WARNING: When offloading SSL, AllowHttp is automatically enabled.
To work around this, run the following command to set both to false.
Set-OfficeWebAppsFarm -SSLOffloaded:$False -AllowHTTP:$False
For more detail and tips on how to secure your Office Web Apps, see this blog.