Download presentation
Presentation is loading. Please wait.
1
Bill Essary Software Architect Microsoft Corporation
2
TFS component interactions shape user experience Design around communication and security VPN for remote teams simplifies design A few scenarios give broad TFS coverage
3
Great news!!! 20 people added to project… Great news!!! 20 people added to project… VPNVPN VPNVPN SSLSSL
5
Host Network Intranet WSS SQL RS TFS AT TFS DT Port8080Port8080 http://tfsat:8080http://tfsat:8080 Ports80,8080Ports80,8080 http://tfsat/siteshttp://tfsat/sites http://tfsat/reportshttp://tfsat/reports http://tfsat:8080/vc/repository.asmxhttp://tfsat:8080/vc/repository.asmx http://tfsat:8080/wit/clientservice.asmxhttp://tfsat:8080/wit/clientservice.asmx NTLMNTLM Connect to TFS
6
Host Network Secure Channel WSS SQL RS TFS AT TFS DT Port8443Port8443 https://tfsat.site.com:8443https://tfsat.site.com:8443 AnonymousAnonymous NTLMNTLM BasicBasic TFS ISAPI filter modifies WWW-Authenticate header TFS ISAPI filter modifies WWW-Authenticate header BasicBasic Connect to TFS
7
Host Network Secure Channel WSS SQL RS TFS AT TFS DT Port8443Port8443 https://tfsat.site.com:8443https://tfsat.site.com:8443 http://tfsat/siteshttp://tfsat/sites http://tfsat/reportshttp://tfsat/reports https://tfsat.site.com:8443/vc/repository.asmxhttps://tfsat.site.com:8443/vc/repository.asmx https://tfsat.site.com:8443/wit/clientservice.asmxhttps://tfsat.site.com:8443/wit/clientservice.asmx WSS/SQL RS URLs must resolve for all clients
8
SSLSSL SSLSSL SSLSSL
9
Broad test of client health Users authenticate with Windows Identities TFS ISAPI filter can force basic auth WSS/SRS URLs must resolve for all clients
10
Host Network Intranet WSS SQL RS TFS AT TFS DT Port8080Port8080 http://tfsat:8080http://tfsat:8080 Ports 80,8080, 17012 Ports WSS Admin http://tfsat/siteshttp://tfsat/sites http://tfsat/reportshttp://tfsat/reports http://tfsat:8080/vc/repository.asmxhttp://tfsat:8080/vc/repository.asmx http://tfsat:8080/wit/clientservice.asmxhttp://tfsat:8080/wit/clientservice.asmx http://tfsat:17012/wssadminservice.asmxhttp://tfsat:17012/wssadminservice.asmx Connect to TFS Create Project
11
Secure Channel Host Network WSS SQL RS TFS AT TFS DT 84438443 https://tfsat.site.com:8443https://tfsat.site.com:8443 Ports 443,8443, 17443 Ports WSS Admin https://tfsat.site.com/siteshttps://tfsat.site.com/sites https://tfsat.site.com/reportshttps://tfsat.site.com/reports https://tfsat.site.com:8443/vc/repository.asmxhttps://tfsat.site.com:8443/vc/repository.asmx https://tfsat.site.com:8443/wit/clientservice.asmxhttps://tfsat.site.com:8443/wit/clientservice.asmx https://tfsat.site.com:17443/wssadmin.asmxhttps://tfsat.site.com:17443/wssadmin.asmx Connect to TFS Create Project
12
SSLSSL SSLSSL SSLSSL Recommend: Create team projects from Intranet Recommend:
13
Wide communication footprint SharePoint admin port must be accessible Difficult to get right over TLS/SSL
14
Secure Channel Host Network TFS AT TFS DT TFS Team Build TFS Build Drop Point Start build Port8443Port8443 Port9191Port9191 View build log View UNC access not available – use SetBuildProperties to configure HTTPS URL Build failed!
15
Secure Channel Host Network TFS AT TFS DT TFS Team Build TFS Build Drop Point Start build with unit tests Start build with unit tests Port8443Port8443 TFS AT verifies that UNC drop location is available for test results Basic Auth not supported, NTLM may work… Port8443,9443Port8443,9443 ServerAccessURL configurable in TFS 2008
16
SSLSSL SSLSSL SSLSSL Recommend: Local build agent… or VPN Recommend:
17
Bidirectional communication TFS recognizes build service account Build agent recognizes TFS service account TFS 2008 Build server URL for TFS configurable Build task can set build log link to HTTPS Remote build with tests requires UNC access TFS 2005 UNC share must be accessible to TFS
18
Host Network Secure Channel TFS AT TFS DT Ports443,8443Ports443,8443 TFS VC Proxy Connect to TFS domain\userdomain\user proxy\serviceproxy\service Only VC proxy requires local account on TFS AT with matching username/password in TFS 2008 domain\userdomain\user
19
SSLSSL SSLSSL SSLSSL Recommend: Service account with matching username and password Recommend:
20
TFS must recognize proxy service account TFS 2008 Clients authenticate with login credentials TFS 2005 Shadow accounts on clients, VC proxy, TFS
21
TFS component interactions shape user experience Design around communication and security VPN for remote teams simplifies design A few scenarios give broad TFS coverage Team Explorer is whole Team Project Creation Start a build with tests Get files through VC proxy
23
Additional Resources MSDN: Team Foundation Security Architecture MSDN: TfsBuildService.exe.config File Settings Marketing: VSTS Distributed Development Blog (Aaron Hallberg, Team Build): SetBuildProperties Task Blog (MVP): Team Foundation Server over a VPN Blog (MVP): Accessing Team Build log over HTTPS (vs. UNC)
24
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
