In addition to How TFS Proxy 2008 works and TFS Proxy 2008 FAQ, this post focuses on self-help troubleshooting TFS Proxy 2008 issues. The goal of this post is to guide the reader to troubleshoot simple but very common Proxy issues, or at least to give the reader a general idea what could be wrong. You may still need to seek for professional help if the issues with your TFS Proxy setup is beyond the scope of this self-help guide.
There is also a troubleshooting guide for TFS Proxy on MSDN: Troubleshooting Team Foundation Server Proxy http://msdn.microsoft.com/en-us/library/ms400681.aspx
The story behind "Make sure Proxy service account is allowed and not denied GENERIC_READ permission on TFServer."
First, three things to know:
In order to make Proxy work, we need to make sure Proxy service account is recognized by TFServer and is allowed but not denied GENERIC_READ permission.
The easy way:
Because GENERIC_READ is allowed on the "TF Valid Users" group, therefore we can create a server-level group and add Proxy service account as a member so that the server-level group inherits GENERIC_READ from "TF Valid Users" and Proxy service account inherits GENERIC_READ from the server-level group.
The hard way:
If the easy way did not work, then most likely GENERIC_READ is either explicitly and effectively denied for Proxy service account. To find out where GENERIC_READ is explicitly denied, do
TfsSecurity /server:http://serverAddress:port/ /acl $NAMESPACE
Keep in mind that a user/group inherits permission settings from its parent group. Check whether Proxy service account inherits "Deny GENERIC_READ" from its parent or grand-parent groups.
May 20, 2009: Corrected test links to server's proxy statistic page. Thanks to Len Ocin for pointing it out!