Publishing TFS services to Visual Studio using UAG and SSL-VPN

Our support team recently worked with Ben Ari from the Microsoft Forefront Unified Access Gateway (UAG) support team (here’s his BLOG) on a customer issue where we needed to provide client access to TFS through this gateway. Following are the steps he provided. Many thanks to Ben for this. I hope you find it useful.

--Trevor H.


Publishing TFS services to Visual Studio using UAG and SSL-VPN

To provide access for Visual Studio running on a client that is connected to the internet, to an internal TFS server, one must configure UAG to establish an SSL-VPN tunnel. UAG’s SSL-VPN tunnel employs two client components:

1. The Socket Forwarder

2. The SSL-Tunneling component

The way this works is simple:

The administrator configures the tunnel, on the servers side (UAG), with a list of servers and ports that are to be tunneled. This list is specific per application, so if one was to publish a Telnet server, the application would be configured for the server’s name, and port 23. For TFS, the ports are 80 and 8080.

When the client wants to use TFS, he launches his browser, and types the URL of the UAG server. He then logs-in to the UAG portal, and launches the TFS application, which launches the two components. The Socket Forwarder injects itself into the Name resolution mechanism on the client, and intercepts any name-resolution request to the server (or servers) configured on UAG for the TFS application. If such a request comes in, it resolves it to a local address of 127.0.0.x and forwards traffic on the pre-defined ports to that address. The SSL Tunneling component listens on that address, and encrypts the traffic using SSL. It then sends it to UAG, which decrypts it back and forwards it on to the back-end server.

To configure the application, one must use the “Generic client/server application”. Here are the steps:

1. On UAG, go to the trunk you wish to use.

2. Click ADD to add a new application

3. From the list of applications, select “Generic Client Application (multiple servers)”:


4. Give the application a name to your liking

5. On step 3, I suggest changing the policy to “always” to avoid having to deal with client-side policy issues. After the application works and is acceptable, you might want to harden it by using a stricter policy:


6. On step 4, list the TFS server (or servers), and the ports. You might prefer setting the app to launch automatically, if you like – this may save your users an extra step (but could annoy other users who don’t need it):


7. Complete the wizard, and activate the UAG configuration.

Another option you have is to use the “Enhanced Generic Client Application (multiple servers)” template. This has the option of automatically launching an executable on the client, like the Visual Studio itself:


Comments (3)

  1. Atif Jalal says:

    Trevor ,

    Could you please provide me all the  steps to connect TFS via UAG. I am stuck on step5 of the wizard, the application URL is greyed out. Due to which the Portal home page on the trunk properties does not let me choose initial internal application.

  2. Trevor says:

    If the steps in provided here by Ben do not work, please consider opening a support case with us so we can provide more directed assistance (over Live Meeting, Phone, etc.):

  3. Atif says:

    Thanks for the prompt response. I am stuck at step 5 of the setup wizard. The steps provided by Ben are until step 4 only. Could you please send me the screenshot of the step 5 from your environment to

Skip to main content