Team Foundation Server Security Architecture
To analyze and plan for Team Foundation Server security, you must consider the Team Foundation application tier, the Team Foundation data tier, the Team Foundation client tier, Team Foundation Build, Team Foundation Server Proxy, and the interactions between them. You will have to know what Web services, databases, and object models are used. Additionally, you will have to know what network ports and protocols are used by default, and which network ports are customizable.
Besides its own services, Team Foundation Server depends on other services in order to function. For more information about Team Foundation Server dependencies, see Team Foundation Server Security Concepts.
Object Model
Team Foundation Server includes an object model that enables communication between the Team Foundation client tier and the Team Foundation application tier. This object model also enables software integrators and third parties to customize and extend Team Foundation Server functionality.
Team Foundation Server Object Model
The Team Foundation Server object model is a set of managed APIs that include the following interfaces.
Team Foundation Common Services
Registration service
Security service
Linking service
Eventing service
Classification service
Version Control Object Model
Work Item Tracking Object Model
The Team Foundation Server object model is publicly documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.
Web Services and Databases
Team Foundation Server includes a set of Web services and databases. These services and databases are installed and configured separately on the Team Foundation application tier, data tier, and client tier. The following figures briefly illustrate Web services, applications, and databases on Team Foundation Server and on client computers.
.png)
.gif)
Application Tier
The Team Foundation application tier contains the following ASP.NET Web services that correspond to respective proxies or object models on the client tier. These Web services are not generally intended for third-party integrators to program against, except for the MSBuild Web service that is documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.
Team Foundation Common Services
Registration Web service
Security Web service
Linking Web service
Eventing Web service
Classification Web service
Version Control Web service
Work Item Tracking Web service
Team Foundation Build Web service
Data Tier
The Team Foundation data tier consists of the following operational stores within SQL Server 2005. This includes data, stored procedures, and other associated logic. These operational stores are not generally intended for third-party integrators to program against.
Work item tracking
Version control
Team Foundation Common Services
Team Foundation Build
Reporting warehouse
Client Tier
The client tier uses the same Web services listed in the application tier to communicate with the Team Foundation application tier, through the Team Foundation Server object model. Besides the Team Foundation Server object model, the Team Foundation client tier consists of Visual Studio Industry Partners (VSIP) components, Microsoft Office integration, command-line interfaces, and a check-in policy framework for integration with Team Foundation Server and customized integration. For more information about how to extend and customize the client tier, see the extensibility documentation in the Visual Studio SDK.
Network Ports and Protocols
By default, Team Foundation Server is configured to use specific network ports and network protocols. The following diagram illustrates Team Foundation Server network traffic in an example deployment.
.gif)
Default Network Settings
By default, communication between the Team Foundation application tier, the Team Foundation data tier, build computers, and the Team Foundation Server proxy, use the protocols and ports in the following list.
| Service and Tier | Protocol | Port |
|---|---|---|
Application tier – Web Services |
HTTP |
8080 |
Application tier – Windows SharePoint Services Administration |
HTTP |
This port is randomly generated during Windows SharePoint Services setup. |
Application tier – Windows SharePoint Services and SQL Reporting Services |
HTTP |
80 |
Build computer – remote access from Team Foundation application-tier server |
.NET Remoting |
9191 |
Data tier |
MS-SQL TCP |
1443 |
Data tier |
MS-SQL UDP |
1444 |
Team Foundation Server Proxy: client to proxy |
HTTP |
8081 |
Team Foundation Server Proxy: proxy to application tier |
HTTP |
8080 |
Client tier - reporting Services |
HTTP |
80 |
Client tier - Web services |
HTTP |
8080 |
Customizable Network Settings
You can choose to modify Team Foundation Server to use HTTPS and Secure Socket Layer (SSL) instead of HTTP for Web Services and Microsoft SQL Reporting Services. Communication between the application tier, the data tier, and the client tier would change as described in the following table.
Note
Configuring Team Foundation Server to use HTTPS and SSL is a complex task that involves much more than enabling ports for HTTPS network traffic. For more information, see Securing Team Foundation Server with HTTPS and Secure Sockets Layer (SSL).
| Service and Tier | Protocol | Port |
|---|---|---|
Application tier – Web Services with SSL |
HTTPS |
Configured by the administrator |
Application tier – Windows SharePoint Services Administration |
HTTPS |
Configured by the administrator |
Application tier – Windows SharePoint Services and SQL Reporting Services |
HTTPS |
443 |
Client tier - reporting Services |
HTTPS |
443 |
Client tier - Web Services |
HTTPS |
Configured by the administrator |
See Also
Concepts
Team Foundation Server Security Concepts
Team Foundation Server Permissions