Office Web Service

Office Web Service

The Office Services Web service is used by Office SharePoint Server 2007 as a communication channel between Web servers and application servers. This service uses the following ports:

• TCP         56737
• TCP/SSL     56738

Access to the web service methods is restricted to the farm administrator group, WSS_ADMIN_WPG. None of the web service methods can be called from user code.

Web Services

Depending on features installed, the Office Server Web Services Web application exposes the following internal Web services, which are not available for calls from custom code:

The object model automatically short circuits the web services, i.e. invokes the underlying functionality without invoking the web service, when the target server is also the client primarily for performance reasons. Hence, the web services are not used...

• On a Basic deployment.
• When the administrative action is performed on a WFE that also happens to be the indexer.

Global Web Service (SearchWebService)

Runs in the Office Server Web Services virtual server root application pool, i.e. an application pool that does not belong to any SSP. This GLOBAL application pool runs as NetworkService.

It is used to retrieve low level computer configuration settings before any SSP is created, e.g. system drive info, verify path correctness, the computer's IP Address.

It is also used to create/configure a propagation share. The web method that implements this functionality is special: It impersonates the WindowsIdentity making the request. That identity must be a local admin on the remote server (only local administrators can create/configure shares).

Allowed access: WSS_ADMIN_WPG.

 SSP (Application) Web Service (SearchApplicationWebService)

Primarily used for SSP administration of Search configuration.

A web service associated with a specific SSP on a specific server (indexer and/or query server).

Runs as the SSP web service credentials (the credentials that you enter in the SSP creation/details page).

The SSP web service account can read/write from/to the SSP database and the Search database (only the ones that belong to its SSP).

Allowed access: WSS_ADMIN_WPG and the SSP administration application pool identity.

Security

InterServer Communications

Network traffic can be secured with either SSL on port 56738, or with IPSec on either port.

IPSec is an IP level feature, which means all traffic on the configured ports is protected; whereas, SSL is an application level protection mechanism.

IPSec has the advantage of limiting which pairs of servers can communicate, by configuring the IP addresses. This feature can significantly lock down a server farm.

Service Accounts Used

Search service account

• It is a db_owner in ALL SSP databases.
• It is a db_owner in ALL Search databases.
• It has READ ONLY access to all the content in ALL web applications via a policy.
• It has read/write access to the propagation share on Query servers.
• It has read/write access to the Search registry hive.
• It has read/write access to the Search index location.

SSP administration site application pool identity

• This account is determined by the web application that you select when you create the SSP.
• It has read/write access to the SSP database and the Search database.
• This account has full control over the Search service via its COM interfaces.
• It has read/write access to the Search registry hive.

Global web service account

• This is the GLOBAL application pool account of the Office Server Web Services, i.e. an application pool that does not belong to any SSP.
• It is always set to NetworkService.

SSP (Application) web service

• The application pool account of an SSP web service (the credentials entered in the SSP creation/details page).
• This account has read/write access to the SSP database and to the Search database of an SSP.
• This account has full control over the Search service via its COM interfaces.

It has read/write access to the Search registry hive.