Team Foundation Server Security Architecture
To analyze and plan for Team Foundation Server security, you must consider the Team Foundation application tier, the Team Foundation data tier, the Team Foundation client tier, Team Foundation Build, Team Foundation Server Proxy, and the interactions between these entities. You will have to know what Web services, databases, and object models are used. Also, you must know which network ports and protocols are used by default, and which network ports are customizable.
Besides its own services, Team Foundation Server depends on other services in order to function. For more information about Team Foundation Server dependencies, see Team Foundation Server Security Concepts.
Object Model
Team Foundation Server includes an object model that enables communication between the Team Foundation client tier and the Team Foundation application tier. This object model also enables software integrators and third parties to customize and extend Team Foundation Server functionality.
Team Foundation Server Object Model
The Team Foundation Server object model is a set of managed APIs that include the following interfaces.
Team Foundation Common Services
Registration service
Security service
Linking service
Eventing service
Classification service
Version Control Object Model
Work Item Tracking Object Model
Team Foundation Build Object Model
The Team Foundation Server object model is publicly documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.
Web Services and Databases
Team Foundation Server includes a set of Web services and databases. These services and databases are installed and configured separately on the Team Foundation application tier, data tier, and client tier. The following figures provide a high-level view of Web services, applications, and databases on Team Foundation Server and on client computers.
.png "Server architecture diagram")
.gif "Client architecture diagram")
Application Tier
The Team Foundation application tier contains the following ASP.NET Web services that correspond to respective proxies or object models on the client tier. These Web services are not intended for third-party integrators to program against. One exception to this policy is the MSBuild Web service that is documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.
Team Foundation Common Services
Registration Web service
Security Web service
Linking Web service
Eventing Web service
Classification Web service
Version Control Web service
Work Item Tracking Web service
Team Foundation Build Web service
Data Tier
The Team Foundation data tier consists of the following operational stores within SQL Server 2005. This includes data, stored procedures, and other associated logic. These operational stores are not generally intended for third-party integrators to program against.
Work item tracking
Version control
Team Foundation Common Services
Team Foundation Build
Reporting warehouse
Client Tier
The client tier uses the same Web services listed in the application tier to communicate with the Team Foundation application tier. It communicates through the Team Foundation Server object model. Besides the Team Foundation Server object model, the Team Foundation client tier consists of Visual Studio Industry Partners (VSIP) components, Microsoft Office integration, command-line interfaces, and a check-in policy framework for integration with Team Foundation Server and customized integration. For more information about how to extend and customize the client tier, see the extensibility documentation in the Visual Studio SDK.
Team Foundation Server Configuration Information
Because Team Foundation Server depends on SQL Server, SQL Server Reporting Services, Internet Information Services (IIS), the Windows operating system, and Windows SharePoint Services, configuration information for Team Foundation Server is stored in five locations:
Internet Information Services (IIS) data stores - Team Foundation application tier
Team Foundation Server configuration files (web.config, proxy.config) - Team Foundation application tier
SQL Server Reporting Services data sources (for example, TFSREPORTS data) - Team Foundation application tier
Team Foundation Server integration database - Team Foundation data tier
Windows Registry - Team Foundation application, data, and client tiers
When maintaining an Team Foundation Server deployment, you must take these configuration sources into account. To change the configuration in any way, you must modify information that is stored in multiple locations on the application tier. You must also change configuration information on the data and client tiers. Team Foundation Server includes a number of command-line utilities to help you make these changes. However, in some cases you need to make manual changes as well.
Synchronization of Group Identities Between Active Directory and Team Foundation Server
In deployments where Team Foundation Server is running in an Active Directory domain, group and identity information is synchronized when any of the following events occur:
The application-tier server for Team Foundation starts.
An Active Directory group is added to a group in Team Foundation Server.
The amount of time specified in the web.config file elapses. (The default is 1 hour.)
Active Directory synchronizes with Generic Security Services (GSS), which then synchronizes with Team Foundation Server. Changed identities are propagated from the server to the clients. Depending on the synchronization interval configured in the web.config file and the nature of the change to groups and users, it might take some time for changes to Active Directory users and groups to be reflected across Team Foundation Server.
Groups and Permissions
Team Foundation Server has its own set of default groups. Also, it has permissions that you can set at multiple levels. You can create custom groups and customize permissions at group and individual levels. However, when you add a user or group to Team Foundation Server, that user or group is not automatically added to two components on which Team Foundation Server depends: Windows SharePoint Services and SQL Server Reporting Services. You must add users and groups to those programs and grant the appropriate permissions before those users or groups will function correctly across all Team Foundation Server operations. For more information, see Managing Users and Groups, Managing Permissions, Windows SharePoint Services Roles and SQL Server Reporting Services Roles.
Network Ports and Protocols
By default, Team Foundation Server is configured to use specific network ports and network protocols. The following diagram illustrates Team Foundation Server network traffic in an example deployment.
.png "Ports and communications diagram")
Default Network Settings
By default, communication between the Team Foundation application tier, the Team Foundation data tier, build computers, and the Team Foundation Server proxy, use the protocols and ports in the following list. If an asterisk (*) follows the port number, you can customize that port.
Service and Tier |
Protocol |
Port |
|---|---|---|
Application tier – Web Services |
HTTP |
8080 |
Application tier – Windows SharePoint Services Administration |
HTTP |
17012* (if installed with Team Foundation Server); otherwise randomly generated |
Application tier – Windows SharePoint Services and SQL Reporting Services |
HTTP |
80 |
Build computer – remote access from Team Foundation application-tier server |
SOAP over HTTP |
9191* |
Data tier |
MS-SQL TCP |
1443* |
Team Foundation Server Proxy: client to proxy |
HTTP |
8081* |
Team Foundation Server Proxy: proxy to application tier |
HTTP |
8080* |
Client tier - reporting Services |
HTTP |
80 |
Client tier - Web services |
HTTP |
8080* |
Customizable Network Settings
You can modify Team Foundation Server to use some custom ports. You can change communication between the application tier, the data tier, and the client tier, as noted in the previous table. As an example, the following table describes changes in ports from HTTP to HTTPS.
Note
Configuring Team Foundation Server to use HTTPS and SSL is a complex task that involves much more than enabling ports for HTTPS network traffic. For more information, see Securing Team Foundation Server with HTTPS and Secure Sockets Layer (SSL).
Service and Tier |
Protocol |
Port |
|---|---|---|
Application tier – Web Services with SSL |
HTTPS |
Configured by the administrator |
Application tier – Windows SharePoint Services Administration |
HTTPS |
Configured by the administrator |
Application tier – Windows SharePoint Services and SQL Reporting Services |
HTTPS |
443 |
Client tier - reporting Services |
HTTPS |
443 |
Client tier - Web Services |
HTTPS |
Configured by the administrator |
See Also
Concepts
Team Foundation Server Security Concepts
Team Foundation Server Permissions