Designing cross-site deployment solutions with TFS 2008Bill EssarySoftware ArchitectMicrosoft Corporation
Key TakeawaysTFS component interactions shape user experience Design around communication and securityVPN for remote teams simplifies design A few scenarios give broad TFS coverage
Discussion Setting
Great news!!!20 people added to project…
VPN
VPN
SSL
TFS Security Architecture
Team Explorer - IntranetH
ost
Netw
ork
Intranet
LAN
WSSSQL RSTFS AT
TFS DT
Port8080
http://tfsat:8080
Ports80,808
0
http://tfsat/siteshttp://tfsat/reportshttp://tfsat:8080/vc/repository.asmxhttp://tfsat:8080/wit/clientservice.asmx
NTLM
Connect to TFS
Host
Netw
ork
Secure Channel
SSL/TL S
Team Explorer – TLS/SSL
WSSSQL RSTFS AT
TFS DT
Port8443
https://tfsat.site.com:8443Anonymous
NTLMBasic
TFS ISAPI filter modifies WWW-Authenticate header
Basic
Connect to TFS
Host
Netw
ork
Secure Channel
SSL/TL S
Team Explorer – TLS/SSL
WSSSQL RSTFS AT
TFS DT
Port8443
https://tfsat.site.com:8443
http://tfsat/siteshttp://tfsat/reportshttps://tfsat.site.com:8443/vc/repository.asmxhttps://tfsat.site.com:8443/wit/clientservice.asmx
WSS/SQL RS URLs must resolve for all clients
TFS Access with Basic/SSL
SSLSSL
SSL
Takeaways: Team Explorer
Broad test of client healthUsers authenticate with Windows IdentitiesTFS ISAPI filter can force basic authWSS/SRS URLs must resolve for all clients
Create Team Project - IntranetH
ost
Netw
ork
LAN
Intranet
WSSSQL RSTFS AT
TFS DT
Port8080
http://tfsat:8080Ports
80,8080,17012
WSSAdmin
http://tfsat/siteshttp://tfsat/reportshttp://tfsat:8080/vc/repository.asmxhttp://tfsat:8080/wit/clientservice.asmx
http://tfsat:17012/wssadminservice.asmx
Connect to TFS
Create Project
Secure Channel
SSL/TL S
Create Team Project – TLS/SSLH
ost
Netw
ork
WSSSQL RSTFS AT
TFS DT
8443
https://tfsat.site.com:8443Ports
443,8443,17443
WSSAdmin
https://tfsat.site.com/siteshttps://tfsat.site.com/reportshttps://tfsat.site.com:8443/vc/repository.asmxhttps://tfsat.site.com:8443/wit/clientservice.asmx
https://tfsat.site.com:17443/wssadmin.asmx
Connect to TFS
Create Project
TFS Access with Basic/SSL
SSLSSL
SSL
Recommend: Create team projects from
Intranet
Takeaways: Team Project Creation
Wide communication footprintSharePoint admin port must be accessibleDifficult to get right over TLS/SSL
Secure Channel
SSL/TL S
Team Build (2008) – TLS/SSLH
ost
Netw
ork
TFS AT
TFS DT
TFSTeamBuild
TFSBuildDropPoint
Start build
Port8443 Port
9191
Viewbuild log
UNC access not available – use
SetBuildProperties to configure HTTPS URL
Build failed!
Secure Channel
SSL/TL S
Team Build (2008) – TLS/SSLH
ost
Netw
ork
TFS AT
TFS DT
TFS Team Build
TFS BuildDrop Point
Start buildwith unit
tests
Port8443
TFS AT verifies that UNC drop location is
available for test results
Basic Auth not supported, NTLM may
work…
Port8443,94
43
ServerAccessURL configurable in TFS
2008
TFS Access with Basic/SSL
SSLSSL
SSL
Recommend: Local build agent… or
VPN
Takeaways: Team Build
Bidirectional communicationTFS recognizes build service accountBuild agent recognizes TFS service account
TFS 2008Build server URL for TFS configurableBuild task can set build log link to HTTPSRemote build with tests requires UNC access
TFS 2005UNC share must be accessible to TFS
Host
Netw
ork
Secure Channel
SSL/TL S
VC Proxy (2008) – TLS/SSL
TFS AT
TFS DT
Ports443,844
3
TFSVC Proxy
Connect to TFS
domain\user proxy\service
Only VC proxy requires local account on TFS AT
with matching username/password in
TFS 2008
domain\user
TFS Access with Basic/SSL
SSLSSL
SSL
Recommend: Service account with matching username and
password
Takeaways: VC Proxy
TFS must recognize proxy service accountTFS 2008
Clients authenticate with login credentialsTFS 2005
Shadow accounts on clients, VC proxy, TFS
Key TakeawaysTFS component interactions shape user experience Design around communication and securityVPN for remote teams simplifies designA few scenarios give broad TFS coverage
Team Explorer is wholeTeam Project CreationStart a build with testsGet files through VC proxy
What do you see now?
Related Content
Additional ResourcesMSDN: Team Foundation Security ArchitectureMSDN: TfsBuildService.exe.config File SettingsMarketing: VSTS Distributed DevelopmentBlog (Aaron Hallberg, Team Build): SetBuildProperties TaskBlog (MVP): Team Foundation Server over a VPNBlog (MVP): Accessing Team Build log over HTTPS (vs. UNC)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.