Designing cross-site deployment solutions with TFS 2008Bill EssarySoftware ArchitectMicrosoft Corporation

Key TakeawaysTFS component interactions shape user experience Design around communication and securityVPN for remote teams simplifies design A few scenarios give broad TFS coverage

Discussion Setting

Great news!!!20 people added to project…

VPN

VPN

SSL

TFS Security Architecture

Team Explorer - IntranetH

ost

Netw

ork

Intranet

LAN

WSSSQL RSTFS AT

TFS DT

Port8080

http://tfsat:8080

Ports80,808

0

http://tfsat/siteshttp://tfsat/reportshttp://tfsat:8080/vc/repository.asmxhttp://tfsat:8080/wit/clientservice.asmx

NTLM

Connect to TFS

Host

Netw

ork

Secure Channel

SSL/TL S

Team Explorer – TLS/SSL

WSSSQL RSTFS AT

TFS DT

Port8443

https://tfsat.site.com:8443Anonymous

NTLMBasic

TFS ISAPI filter modifies WWW-Authenticate header

Basic

Connect to TFS

Host

Netw

ork

Secure Channel

SSL/TL S

Team Explorer – TLS/SSL

WSSSQL RSTFS AT

TFS DT

Port8443

https://tfsat.site.com:8443

http://tfsat/siteshttp://tfsat/reportshttps://tfsat.site.com:8443/vc/repository.asmxhttps://tfsat.site.com:8443/wit/clientservice.asmx

WSS/SQL RS URLs must resolve for all clients

TFS Access with Basic/SSL

SSLSSL

SSL

Takeaways: Team Explorer

Broad test of client healthUsers authenticate with Windows IdentitiesTFS ISAPI filter can force basic authWSS/SRS URLs must resolve for all clients

Create Team Project - IntranetH

ost

Netw

ork

LAN

Intranet

WSSSQL RSTFS AT

TFS DT

Port8080

http://tfsat:8080Ports

80,8080,17012

WSSAdmin

http://tfsat/siteshttp://tfsat/reportshttp://tfsat:8080/vc/repository.asmxhttp://tfsat:8080/wit/clientservice.asmx

http://tfsat:17012/wssadminservice.asmx

Connect to TFS

Create Project

Secure Channel

SSL/TL S

Create Team Project – TLS/SSLH

ost

Netw

ork

WSSSQL RSTFS AT

TFS DT

8443

https://tfsat.site.com:8443Ports

443,8443,17443

WSSAdmin

https://tfsat.site.com/siteshttps://tfsat.site.com/reportshttps://tfsat.site.com:8443/vc/repository.asmxhttps://tfsat.site.com:8443/wit/clientservice.asmx

https://tfsat.site.com:17443/wssadmin.asmx

Connect to TFS

Create Project

TFS Access with Basic/SSL

SSLSSL

SSL

Recommend: Create team projects from

Intranet

Takeaways: Team Project Creation

Wide communication footprintSharePoint admin port must be accessibleDifficult to get right over TLS/SSL

Secure Channel

SSL/TL S

Team Build (2008) – TLS/SSLH

ost

Netw

ork

TFS AT

TFS DT

TFSTeamBuild

TFSBuildDropPoint

Start build

Port8443 Port

9191

Viewbuild log

UNC access not available – use

SetBuildProperties to configure HTTPS URL

Build failed!

Secure Channel

SSL/TL S

Team Build (2008) – TLS/SSLH

ost

Netw

ork

TFS AT

TFS DT

TFS Team Build

TFS BuildDrop Point

Start buildwith unit

tests

Port8443

TFS AT verifies that UNC drop location is

available for test results

Basic Auth not supported, NTLM may

work…

Port8443,94

43

ServerAccessURL configurable in TFS

2008

TFS Access with Basic/SSL

SSLSSL

SSL

Recommend: Local build agent… or

VPN

Takeaways: Team Build

Bidirectional communicationTFS recognizes build service accountBuild agent recognizes TFS service account

TFS 2008Build server URL for TFS configurableBuild task can set build log link to HTTPSRemote build with tests requires UNC access

TFS 2005UNC share must be accessible to TFS

Host

Netw

ork

Secure Channel

SSL/TL S

VC Proxy (2008) – TLS/SSL

TFS AT

TFS DT

Ports443,844

3

TFSVC Proxy

Connect to TFS

domain\user proxy\service

Only VC proxy requires local account on TFS AT

with matching username/password in

TFS 2008

domain\user

TFS Access with Basic/SSL

SSLSSL

SSL

Recommend: Service account with matching username and

password

Takeaways: VC Proxy

TFS must recognize proxy service accountTFS 2008

Clients authenticate with login credentialsTFS 2005

Shadow accounts on clients, VC proxy, TFS

Key TakeawaysTFS component interactions shape user experience Design around communication and securityVPN for remote teams simplifies designA few scenarios give broad TFS coverage

Team Explorer is wholeTeam Project CreationStart a build with testsGet files through VC proxy

What do you see now?

Related Content

Additional ResourcesMSDN: Team Foundation Security ArchitectureMSDN: TfsBuildService.exe.config File SettingsMarketing: VSTS Distributed DevelopmentBlog (Aaron Hallberg, Team Build): SetBuildProperties TaskBlog (MVP): Team Foundation Server over a VPNBlog (MVP): Accessing Team Build log over HTTPS (vs. UNC)

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.