Rob Caron

Developer-related topics and other stuff.

Accessing Team Foundation Server Remotely

Accessing Team Foundation Server Remotely

  • Comments 39

Team Foundation client applications, such as Team Explorer, access Team Foundation Server functionality through a collection of Web services hosted on Internet Information Services (IIS) 6.0. The initial RTM release of Team Foundation Server only supports Integrated Windows Authentication, which allows clients to use their Windows credentials to access this functionality.

 

Integrated Windows Authentication is an ideal choice for most deployment scenarios in a corporate environment, but it is not an optimal choice in Internet scenarios due to limitations resulting from proxy servers, firewalls, and trusted connections. For this reason, we originally planned to support Basic and Digest authentication as well. For more information, see Integrated Windows Authentication (IIS 6.0).

 

Unfortunately, we were not able to complete this implementation in time to ship with the initial RTM release of Team Foundation Server. We are continuing to work on adding this support in the near future, which should be available sometime soon after the release of Team Foundation Server. However, this means that Team Foundation Server does not immediately support some scenarios, such as accessing Team Foundation Server through a proxy that does not maintain a connection between the client and server.

 

This does not mean that Team Foundation Server is not accessible from across the Internet. You can use a Virtual Private Network (VPN) should your scenario require accessing Team Foundation Server from outside your local intranet. Alternatively, and subject to your own risk analysis, you may opt to expose your Team Foundation Server directly to the Internet and require the use of encrypted connections (e.g., HTTPS using SSL/TLS); however, you may be thwarted by proxies on the client side of the equation, such as those provided by Internet Service Providers (ISPs).

If your intended use of Team Foundation Server requires support for Basic or Digest authentication, we would like to hear your feedback on the importance of these authentication mechanisms in your deployment scenarios.

[Now available as a KB article: http://support.microsoft.com/kb/916845] 

754

  • Dev'garten's (http://www.devgarten.com) TFS instance is sitting behind an ISA 2004 Reverse Proxy with Integrated Auth doing the howdoyoudo stuff.

    I connect to it via VSTS and I enter my creds that run against the server. It will be moved over to SSL when my certificate arrives, which will secure the comms, although there isn't anything critical on that infrastructure yet.

    The age old issue of publishing services via the web have always had this issue; however, the strengths in having high-value services managed in a carrier-grade DC always outweigh trying to maintain your own home garden.

    I'm a big believer in put your money into redundant, high-speed connectivity infrastructure and relocate your apps to DC's, where someone else is worrying about perimeter security, DR, backup. That's why I think hosted and leased TFS services will be huge ;)
  • Rob Caron blogs about the Team System Friday Morning Briefings.  He also talks about Project Server and...
  • This is the worst news I've head in a while.

    I'm truly speechless and befuddled...
  • Rob-

    We're setting up TFS in our office in the states, and are going to be working with some developers in India. They have their own domain, and are likely not going to trust our domain.

    During our testing of TFS, it seems that we are ok for connecting via the Team Explorer, as it simply prompts for your credentials, and they can enter a username/password that we've created for them in our domain.

    However, a bigger issue is the Proxy server for TFS. I can't seem to get it working. I know the documentation states that you must have the exact same domain account running the TFS Proxy as the main TFS service account, but I REALY REALLY need a way around that - as they are reluctanct to trust our domain.

    Any suggestins?
  • Dave,

    How did you configure your ISA 2004 server?  We're trying to configure our ISA 2004 server to provide an https/ssl link to our TFS but are having little joy at the moment.
  • Working over the Internet is extremely important.  Being able to add consultants, contractors, and even FTEs who are working remotely is extremely common today, both for large enterprises and for smaller organizations.  Not supporting basic "over-the-internet" scenarios is a huge shortfall for VSTS in my opinion.  Basically the product only works using client-server architecture, not Internet and web services architecture.  Very, very disappointing, to me, at least.
  • I had to buy a new box to install Team Foundation Server -- apparently it just won't work on my old Dell...
  • Jamie -

    I asked some people to look into this. One suggestion is to move Team Foundation Server to its own domain. That new domain could be given a one-way trust to the domains in the US and India. That would not impact what the India domain trusts, or what the US domain trusts.

  • I just read this blog to our development team. Shoulders sunk and we all muttered how horrible this is. Thank you for making this clearly known, however.
  • Thanks, Rob. I will look into your idea. I was also thinking of joining their (India's) TFS Proxy server to our domain, even though it is located in India. That may or may not be simpler???

    Please let me know what you find regarding the TFS Proxy account. It seems that since we require the India team to use VPN into our office servers, getting the Proxy to work is the last step!

    Thanks for your help!
  • Jamie -

    In your comment you said, "I know the documentation states that you must have the exact same domain account running the TFS Proxy as the main TFS service account, but I REALY REALLY need a way around that - as they are reluctanct to trust our domain."

    However, this isn't a requirement. The only requirement is that the "TFSProxy" account must be a member of the Team Foundation Server Valid Users group on each Team Foundation Server for which it proxies.
  • I hate to beat this issue into the ground, but being able to connect to TFS over the internet is essential for our development team. When you think this issue will be resolved or a patch/SP will be issued?
  • Access over the Internet is absolutely necessary. This is a huge disappointment! We have been readying ourselves for the rolling out of TFS as we are shifting from Delphi to VSTS at the start of a big new project. We have a distributed development team with members spread across 2 states. We have worked this way for 7 years and I would imagine having a distributed development team is now the rule not the exception. Limiting TFS to only be accessible via a local LAN, or going through the huge expense of setting up a VPN or HTTPS, is ridiculous. I guess we’ll have to use our existing source control and bug tracking tools, that we’ve been able to access via the Internet for the last 7 years, until a real version of TFS comes out.

    This should be priority one for the next release. It’s a showstopper problem.
  • I agree with Mike, we were expecting more of TFS. Specifically an easy way to make it accesible from internet.
Page 1 of 3 (39 items) 123
Leave a Comment
  • Please add 8 and 5 and type the answer here:
  • Post