Exposing TFS 2010 to the web using ISA 2006
If you are using Microsoft Visual Studio Team Foundation Server 2010 you might want to enable it to be used from outside your network. Once that is done, you would want to create new rules in ISA 2006 to expose it to the web. This tutorial assumes that you have already configured TFS to use FQDN links to get to it. If you need to configure TFS to use FQDN links, you can use this post as a guideline.
I also assume that you know how to set up new rules in ISA 2006. These might not be the most secure ISA configuration, but it worked for me. If you have a suggestion on how to make it more secure (Should it not be secure enough), please feel free to suggest it in the comments.
Because our developers are not joined to our domain on their home pcs, I need to use Basic Authentication.
1. Exposing tfs.mydomain.com: (This will expose the main TFS web app, web services for team explorer to work and the reports, based on my config in my previous post)- Go to the Firewall Policy node in the ISA 2006 Admin console
- Click on “Publish Web Sites” on the Tasks tab in the right sidebar.
- Give your site a name. We use a naming convention for all rules on ISA which is something like “Service : fqdn” so ours is “TFS2010 : tfs.mydomain.com”, Click Next
- Select Rule Action: Allow
- Publishing Type: Publish a single web site or load balancer
- Server Connection Security: Use non-secured connections
- Internal Publishing Details:
- Internal Site Name: tfs.mydomain.com
- Internal Publishing Details: Click on Forward original host header.
- Public Name Details: Public Name: tfs.mydomain.com
- Select Web Listener: Select or create a new web listener which allows traffic inbound on port 8080 and allows Basic and Integrated Authentication (Enable basic authentication by viewing the properties of the web listener, click on authentication / select Advanced / click on “Allow client authentication over HTTP)
- Authentication Delegation: Select No Delegation, but client may authenticate directly
- User Sets: Remove “All Authenticated Users” and add “All Users” (This forces isa to send authentication to the web server)
- Click Finish
In Summary, when you double-click on the rule, these are my settings (tab to tab):
Tab: General
- Name: TFS2010 : tfs.mydomain.com
Tab: Action
- Action to take: Allow
Tab: From
- Anywhere
Tab: To
- This rule applies to this published site: tfs.mydomain.com
- Forward the original host header: Ticked
- Proxy requests to published site: Requests appear to come from the original client
Tab: Traffic
- HTTP
Tab: Listener
My Listener has the following settings
- Networks: External
- Port(HTTP): 8080
- Port(HTTPS): Disabled
- Authentication Methods: Basic, Integrated
- Always Authenticate: No
Tab: Public Name
- This rule applies to: Requests from the following websites
- Web Sites and ip addresses: tfs.mydomain.com
Tab: Paths
- External path: <Same as internal> | Internal Path: /*
Tab: Authentication Delegation
- No Delegation, but client may authenticate directly
Tab: Bridging
- Redirect requests to HTTP Port: 8080 (ticked)
Tab: Users
- All Users
To publish your sharepoint site, create another rule (Use “Publish Sharepoint Sites” if you like, will just fill in the default sharepoint paths, I used this wizard) with exatly the same settings as above, with the following differences:
Tab: To
- sp.tfs.mydomain.com
Tab: Listener
- Port(HTTP): 80
Tab: Public Name
- Web sites or ip addresses: sp.tfs.mydomain.com
Tab: Paths
(Leave as is, ISA populates this automatically for sharepoint if you used the publish sharepoint sites wizard, otherwise /*)
Tab: Bridging
- Redirect requests to HTTP port: 80
That should do it. Try to connect team explorer from outside your network.
IF YOU FOUND THIS POST HELPED YOU SIGNIFICANTLY, CONSIDER DONATING A COUPLE OF DOLLARS FOR MY HARD WORK 🙂
[donation-can goal_id=’support-my-blog’ style_id=’default’ show_progress=true show_description=true show_donations=false show_title=true title=”]
As I web site owner I believe the articles here is rattling superb , thanks for your efforts. 84420
Gosh, I wish I would have had that infmoraotin earlier!
hehe ur welcome
Great post.
Would this also apply to a TMG firewall ?
I can’t get the TFS webservice working.. darn 😉
Sorry man, It was my fault, I didn´t put the Authentication Delegation correct. It´s working now. Thanks for the help.
The indicated by the tutorial, basic and integrated. I tried if authenticated user and all users and in both cases doesn´t work.
Which authentication mechanisms are you allowing? in your “users” tab are you allowing “all users” or only “authenticated users”? It should be “all authenticated users”
For internal configuration it worked but when I trying to access the site from a external computer I receive the messsage:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Any idea to solve my problem?
Yeah valid point. Although TFS installed IIS on the server for me, and it worked with isa without and config changed to IIS. Then again I’ve only used TFS on my own laptop outside the network on ntlm authentication. Will try it in basic and let you know.
Thank you. It worked like a charm. Although it is worth mentioning that IIS authentication methods must be compatible with the listener otherwise it won’t work.