Accessing Team Foundation Server over the Internet

  • Article

SP1 introduces an extranet feature to Team Foundation Server. Before I link you to the details, though, please accept some cautionary notes (being professionally paranoid when it comes to software security is part of my job description).

Warning the First:

  1. It is always more risky to have mission-critical data accessible over the internet, than to keep it behind a firewall, not-routable from the internet, or both (among other protection schemes). Even leaving aside Oracle's "parade of defects" (sorry, can't resist), it is generally A Good Idea to keep databases at least one level of remove from the public internet. So, think carefully before you put your Team Foundation Server (your source code, your work items, and so on) 'on the edge'. Firewalls and routers aren't silver bullets, but they do reduce the "visible" attack surface of the servers behind them. If at possible, continue to keep a nice crunchy barrier between the public internet and your TF server.
  2. SP1Beta does not (as far as I know) come with a "Go Live" license. So if you want to take this feature for a spin, don't do it on your production TF servers (yet).
  3. Read #1 again. Please!

Having stated Warning the First, here's the deal. We have an ISAPI filter that allows the Team Foundation Server to challenge (and accept) remote users to authenticate using Basic or Digest authentication. "But wait," you're - hopefully - saying to yourself, "those are pretty dangerous to use over the internet - my password's sent practically in plaintext!"

Yes, that's why our documentation also walks you through the process to have IIS support (or even require) HTTPS for these connections.

Warning the Second:

Please, please, please do not enable extranet access without also setting up HTTPS (and, if you allow both HTTP and HTTPS, ensure that the HTTP port can only be reached from your intranet). You can, of course, enable HTTPS even if you're not configuring the ISAPI filter (and you can even use HTTPS between the proxy and the server, and the client and the proxy, etc.).

There, Warning the Second also done. If you want to enable the ISAPI filter and *require* HTTPS, go here. If you want to continue to allow both HTTP and HTTPS (remember - you should also restrict external connections to HTTPS via your firewall or other configuration options), go here.

If you can't tell from the layout, both of these will become official documents (updates to the existing HTTPS documents) around the same time that SP1 "RTM" goes live.

 

You never call me when you're sober...