Team Foundation Server Proxy 2008 FAQ

Since posting How TFS Proxy 2008 works, I have got a bunch of questions regarding TFS proxy.  I would like to share them with you (with my answers, of course) :)

 

  • Q: I got this error message: "source control proxy is not responding, so the request will be sent to the main server.  Please verify your settings." -- what happens now?
  • A: As long as the main server is functioning and reachable, your command/operation will continue to execute and will deliver the same results.  Version control proxy is a mean to speed things up by caching data locally on the proxy.  If TFS Proxy cannot server client's download request (for any reason), client will automatically fall back and download from the main server.

 

  • Q: Can I install TFS AT and Proxy on the same machine?
  • A: Technically, yes, you can, but it is known that the proxy cache statistics may show incorrect numbers.  Practically, there is no point in putting both AT and Proxy on the same machine.

 

  • Q: Can TFS Proxy cache work items?
  • A: No.  For TFS 2005/2008, TFS Proxy caches version control data only.

 

  • Q: Can TFS Proxy act as a surrogate server or a fail-over backup server?
  • A: No.  TFS Proxy merely caches version control data.  Authentication and security checks are still handled by the server.

 

  • Q: Any recommendation for proxy hardware?
  • A: It is hard to say without knowing the specifics (the size of your organization and projects, number of people in your away teams, etc)  However, the bottleneck will be disk space, disk I/O performance, and network bandwidth.

 

  • Q: When do I need a TFS proxy?
  • A: TFS proxy is good for these scenarios
    • Cache version control data locally so it takes less time for your away team, who have a slow connection to the main server, to sync their workspace.
    • Reduce disk I/O load on the main server by serving download requests so your main server can concentrate on other things (processing branch merge requests, responding to work item queries, ... etc)

 

  • Q: Say I have two away teams A, B.  They both have slow connections to the main server, but they have ok connection between them.  Is it possible to have team A's proxy downloading files from the main server and have team B's proxy downloading files from team A's proxy?
  • A: No.  TFS 2005/2008 Proxy can only download from the main server.

 

  • Q: Why is my TFS proxy just sitting there and not caching files?
  • A: TFS proxy does not prefetch files.  It caches version control items after a client, which is configured to use that particular proxy, made a download request.

 

  • Q: How do I assess my TFS proxy utilization?
  • A: You can look at the cache hit rates ( http://msdn.microsoft.com/en-us/library/ms400683.aspx ).  As a rule of thumb, the more people working in the same code branch, the bigger performance gain from TFS Proxy.  You can also retrieve proxy statistics programmically with this class Microsoft.TeamFoundation.Client.ProxyStatistics.

 

Posted 07 November 08 03:39 by tsyang | 1 Comments   
Filed under
Run Team Foundation Server Proxy 2008 with Network Service Account

Although TFS Proxy is supposed to run as by a service user accont, however, there is a way to get around it if your setup is on a domain.

This is not officially supported by Microsoft, but it works.

Background

It is recommended that you read http://blogs.msdn.com/tsyang/archive/2008/03/24/how-team-foundation-server-proxy-2008-works.aspx before proceeding.

Instruction

  1. Install proxy with a valid user account (for example, yours)
  2. (Optional but recommended) Do not yet add your targeting TFServer address to proxy.config
    1. This prevents users from using this proxy before you can change the service account.  This will save you some headache (which I could write another short post to explain...)
  3. Locate tfsadminutil.exe from where you install the proxy to
  4. Run tfsadminutil changeaccount /proxy currentServiceAccount "NT Authority\Network Service"
    1. currentServiceAccount refers to the account you entered at the beginning
  5. Add your targeting TFServer address to proxy.config
  6. iisreset the proxy server machine
  7. Ask your TFServer admin to add this account "proxyMachineDomain\proxyMachineName$" to the TFS group where he/she manages proxy service accounts
    1. "proxyMachineDomain\proxyMachineName$" is your proxy machine's machine account.
  8. Done.

Update

  • Thanks to James Manning for pointing it out that this workaround only works in a domain environment.
Posted 26 June 08 05:55 by tsyang | 3 Comments   
Filed under
How Team Foundation Server Proxy 2008 works
Ever wondering how TFS Proxy works?  While this MSDN article "Team Foundation Server Proxy and Source Control" ( http://msdn2.microsoft.com/en-us/library/ms252490.aspx ) provides a great overview, this blog post will add an end-to-end story for TFS users who likes to dig into technical details.

Table of Contents:

  • Workflow
  • Highlights
  • In other words

Workflow:

Let's see what happens among a user (CLIENT), TFServer (SERVER) and TFS Proxy (PROXY) when the user is trying to download a file from TFServer version control repository.

  1. CLIENT authenticates with SERVER.
    1. SERVER terminates connection if authentication failed.  End of story.
  2. CLIENT sends a file download request to SERVER.
  3. SERVER checks CLIENT's read permission on the requested file.
    1. SERVER reports "file does not exist" to CLIENT if CLIENT has no read permission.  End of story.
  4. SERVER sends a download ticket for the requested file to CLIENT.
  5. CLIENT sends the download ticket to PROXY and wait for PROXY to return the requested file
  6. PROXY checks whether the requested file is already cached.
    1. PROXY returns the requested file to CLIENT if it is already cached.  End of story.
  7. PROXY service account authenticates with SERVER
    1. SERVER terminates connection if authentication failed.  PROXY reports error to CLIENT.  CLIENT will download directly from SERVER.  End of story.
  8. PROXY asks SERVER for the location of VersionControl services.
  9. SERVER checks whether PROXY service account has read permission on server-level information.
    1. SERVER terminates connection if PROXY service account has no read permission on server information.  PROXY reports error to CLIENT.  CLIENT will download directly from SERVER.  End of story.
  10. SERVER tells PROXY where VersionControl services are.
  11. PROXY uses CLIENT's download ticket to download the requested file from SERVER.
  12. PROXY caches the requested file.
  13. PROXY returns requested file to CLIENT.  End of story.

Highlights:

  1. SERVER always checks repository read permission against CLIENT, not PROXY service account.
  2. SERVER always checks server-level information read permission against PROXY service account; and that is the only permission PROXY service account ever needs.
  3. PROXY can save SERVER resources by serving CLIENT's downloading request when the requested file is already cached.

In other words:

  1. PROXY and SERVER are binded at the server-level, not team project level.
  2. PROXY does not act as a surrogate for SERVER; PROXY only does caching and all permission checking is done by SERVER.
  3. PROXY service account can simply be placed in a server-level group, e.g. "[Server]\Proxy Service Accounts", without any extra security configuration.  This effectively grants PROXY service account read permission on server-level information.
    1. Adding PROXY service account to either TFServer Admin group, TFServer service account group, or any team project group will also grant PROXY service account read permission on server-level infromation; however, this practice is not recommended because it gives PROXY service account more permissions than it needs.

 

Posted 24 March 08 10:21 by tsyang | 7 Comments   
Filed under

Search

Go

This Blog

Tags

Syndication

Page view tracker