After installing the WAC server following this or another guide, we also normally publish the WAC server through the same reverse proxy method as we do the other Lync web services - using the DNS name that we configured when we created the farm.

If you publish the WAC server this way without doing anything else it will work the same way for users on the internet as it does for the internal users and we might be content with that. But should we?

My colleague Marjus made this post a little while back on how to limit the access to the WAC services only to servers from your domain. If you don’t do this you’re basically publishing the WAC server as a public service that anyone can add to topology builder and use as the WAC server in their own Lync environment.

So, if you want to keep your WAC server for yourself, remember to add all domains where you host servers that should be able to use the WAC server to the allow list by using the New-OfficeWebAppsHost Cmdlet. The wildcard * is assumed on all domains in the allow list, so subdomains are supported automatically. You only need to add the server domain(s), not necessarily the same as the SIP domain(s).

New-OfficeWebAppsHost -Domain "contoso.com"