Several customers that I work with have external partners they work with, most of the time these partners have domain accounts with the customer and some kind of VPN connection so working with TFS is not a problem.

It is however not uncommon that the distance between the customer and their partner is substantial, and even if TFS is very efficient over the wire they still would benefit a lot of having a local TFS Source Control Proxy.

This is not as easy as it first sounds though. It is not common to have trusts between the domains so running a TFS proxy needs to be done on a computer that is either in a work group or a member of the partner domain. This means that the service account has no relation to the customer domain and therefore makes it impossible to access TFS, as you know if you have set up a TFS proxy before it is the proxy service account credentials that are used to access TFS and get the files to the proxy cache.

To get this working the trick is to create a local account on the TFS AT that mirrors the user name and password of the TFS proxy service account. This local account is then added in TFS to give access to the team projects that the proxy is supposed to cache. This is exactly what Bill Essary shows in slide 18 in his slide deck; there is how ever a caveat that Bill doesn’t mention that might give you some grey hairs before you figure it out and the error message doesn’t give much of a hint either, the only thing you see in the client is something like “The proxy is not configured for this server” which seems to be kind of a generic error for all proxy related issues.

The real problem is to be found in the security event log of the proxy server where you can find failed log on attempts by the domain accounts used by the person to access TFS from VS, as you know VS prompts for credentials to access TFS if the ones you use doesn’t work. Since these are not on the Vendors domain the logon obviously fails. The solution once again is to crate local accounts, this time on the proxy server to mirror the account used to access TFS, remember to keep the passwords in sync with the domain accounts.

Once this is in place you should see the proxy starting to cache files.

Checklist:

  • Create domain accounts for the vendor staff.
  • Create a local or domain account for the Proxy Service at the vendor.
  • Create a local mirror account for the proxy service on the TFS AT.
  • Add the mirror proxy account so it has access to source control for the Team Projects it is supposed to cache.
  • Install and configure the proxy server. 
  • Create local mirror accounts for the vendor staff on the Proxy server.
  • Configure VS to use the proxy

Note: This is provided as is without any warranty.