Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL)
The following walkthrough describes one procedure for requesting, issuing, and assigning certificates that are used for Secure Sockets Layer (SSL) connections. You can increase the security of Team Foundation Server by enabling Secure Sockets Layer (SSL) connections between the client and the server parts of Team Foundation Server.
Important
If you configure Team Foundation Server to use any customized ports, such as HTTPS and SSL, you will not be able to install any service packs for Team Foundation Server after you make those changes. Installation of service packs will fail. You must reconfigure Team Foundation Server to its default settings before you can apply service packs for Team Foundation Server.
Throughout this walkthrough, you will accomplish the following activities:
Create a certificate request for Team Foundation Server Web sites.
Issue the certificate request and create the binary certificate file.
Install and assign the certificate.
Install the certificate on client computers.
Test the certificate.
Note
The procedures in this walkthrough do not require the clients to use HTTPS and SSL only when they connect to Team Foundation Server. For more information about how to restrict connections to HTTPS and SSL only, see How to: Configure Team Foundation Server for HTTPS and SSL Only.
Important
If you have installed Service Pack 1 (SP1) for Team Foundation Server, you can take advantage of support for Basic and Digest authentication available with that service pack. For more information, see Team Foundation Server, Basic Authentication, and Digest Authentication, and then follow the procedures in either Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL) and an ISAPI Filter or Walkthrough: Setting up Team Foundation Server to Require HTTPS and Secure Sockets Layer (SSL).
Prerequisites
To complete this walkthrough:
Both the data tier and application tier parts of Team Foundation Server must be installed. For more information, see the Team Foundation Installation Guide. You can download the latest version of the Team Foundation Installation Guide from the Microsoft Download Center (https://go.microsoft.com/fwlink/?linkid=40042).
You must have a certification authority (CA) available to issue certificates. This walkthrough assumes that you are using Microsoft Certificate Services as your CA. If you do not have a certification authority, you can install Microsoft Certificate Services and configure a certification authority. For more information, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70929).
Required Permissions
You must be a member of the Administrators group on the Team Foundation application-tier and data-tier servers and a member of the Team Foundation Administrators group to complete this procedure. For more information about permissions, see Team Foundation Server Permissions.
Assumptions
This walkthrough assumes the following:
The Team Foundation data-tier server and the Team Foundation application-tier server have been installed and deployed in a secure environment and configured according to security best practices.
The administrator configuring Team Foundation Server with SSL is familiar with public key infrastructures (PKIs) and certificates, including familiarity with requesting, issuing, and assigning certificates. For more information about PKI and certificates, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70930).
The administrator is familiar with configuring Internet Information Services (IIS), Microsoft SQL Server, and network settings, and has a working knowledge of the network topology of the development environment.
Installing Microsoft Certificate Services
This walkthrough uses Microsoft Certificate Services as the certification authority (CA) for issuing certificates. For convenience in this walkthrough, Certificate Services is installed on the Team Foundation application-tier server. For security, you should consider isolating your root certification authority when you deploy Certificate Services in a production deployment. Physical isolation of the CA server, in a facility available only to security administrators, can significantly reduce the risk of tampering. For more information about Certificate Services features and best practices, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70929).
Warning
Once you have installed Certificate Services, you cannot change the name of the computer or the domain in which the computer is enlisted. If you change the computer name or domain, the certificate issued from the certification authority (CA) is invalidated.
To install Certificate Services
Click Start, click Control Panel, and then select Add or Remove Programs.
Click Add/Remove Windows Components.
In the Windows Components Wizard, click Certificate Services in the Components list.
Review the text in the message box, and then click Yes.
Click Next to start the installation.
On the CA Type page, select Stand-alone root CA, and then click Next.
On the CA Identifying Information page, in Common name for this CA, type the name of the computer.
In Validity period, change the duration for the certificate to six (6) weeks, and then click Next.
On the Certificate Database Settings page, click Next without making any changes.
A message box appears that shows that IIS must be stopped.
In the message box, click Yes.
The Configuring Components page appears.
If a message box appears with information about Active Server Pages (ASP), click Yes.
Click Finish.
Creating a Certificate Request for Team Foundation Server Web Sites
On the application-tier computer, you must create a certificate request for Team Foundation Server using Internet Information Services (IIS) Manager.
To create a certificate request for Team Foundation Server Web sites
Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand computername (Local Computer) and then expand Web sites.
Right-click Team Foundation Server and then click Properties.
In Team Foundation Server Properties, click the Directory Security tab.
Under Secure Communications, click Server Certificate.
The Web Server Certificate Wizard appears. Click Next.
On the Server Certificate page, click Create a new certificate, and then click Next.
On the Delayed or Immediate Request page, click Next.
On the Name and Security Settings page, click Next without making any changes.
On the Organization Information page, specify values for Organization and Organization unit. For example, enter the name of your company as the Organization and your team or group name for Organization unit. Click Next.
On the Your Site's Common Name page, click Next without making any changes.
On the Geographical Information page, specify the appropriate information in the Country/Region, State/province, and City/locality boxes, and then click Next.
On the Certificate Request File Name page, under File name, specify the location where you want the certificate request file saved and the name of the file, and then click Next.
Note
Make sure that you save the certificate request file to a network share or other location that can be accessed from the CA computer.
Review the information listed on the Request File Summary page and then click Next.
Click Finish.
Click OK to exit the Team Foundation Server Properties dialog box.
Issuing a Certificate Request and Creating a Binary Certificate File
After you have created a certificate request, you must have the CA, in this case Microsoft Certificate Services, issue a certificate based on the request. As soon as a certificate is created, you can assign the certificate to the appropriate Web sites using IIS.
To issue a certificate request using Microsoft Certificate Services
Click Start, click Administrative Tools, and then click Certification Authority.
In the Explorer pane, right-click the computer name, select All Tasks, and the click Submit new request.
In the Open Request File dialog box, locate the certificate request text file that you created in the previous procedure, and then click Open.
In the Explorer pane, expand the computer name, and then click Pending Requests.
Note the Request ID value for the pending request.
Right-click the request, select All Tasks, and then click Issue.
In the Explorer window, under the computer name, select Issued Certificates and review the listed certificates to verify that a certificate was issued that matches the Request ID value for your request.
In Issued Certificates, right-click the issued certificate, select All Tasks, and then click Export Binary Data.
In Columns that contain binary data, select Binary Certificate. Under Export options, select Save binary data to a file, and then click OK.
In Save Binary Data, save the file to a portable media device or network share that can be accessed by the Team Foundation application-tier computer.
Exit Certification Authority.
Installing and Assigning the Certificate
Before you can use SSL with Team Foundation Server, you must install the server certificate on the Team Foundation Server Web site and then configure HTTPS on Team Foundation Server-related Web sites. These related Web sites include the following:
Default Web site
SharePoint Central Administration
Report Server
Installing the Server Certificate
Follow these steps to install the server certificate on Team Foundation Server.
To install the server certificate on the Team Foundation Server Web site
On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand <computername> (local computer) and then expand Web sites.
Right-click Team Foundation Server and then click Properties.
In Team Foundation Server Properties, click the Directory Security tab.
Under Secure Communications, click Server Certificate.
The Web Server Certificate Wizard appears. Click Next.
On the Pending Certificate Request page, select Process the pending request and install the certificate, and then click Next.
On the Process a Pending Request page, click Browse.
In the Open dialog box, under Files of type, select All files (*.*) from the drop-down list, and then locate the directory where you saved the binary certificate in the previous procedure. Select the binary certificate file and then click Open.
On the Process a Pending Request page, click Next.
On the SSL Port page, accept the default value or enter a new value, and then click Next. The default port for SSL connections is 443.
Important
Make a note of the SSL port value that you assign. Before you accept the default value, make sure that the port is not being used by another server certificate. SSL port values must be different for each server certificate you install. For example, if the default port of 443 is not already being used and you accept the default port value of 443 for the Team Foundation Server Web site, you must assign a different port value for the default Web site and the SharePoint Central Administration Web site.
Review the information about the Certificate Summary page, and then click Next.
Click Finish.
On the Directory Security tab, under Authentication and access control, click Edit.
In Authentication Methods, make sure that the Enable anonymous access box is cleared. In Authenticated access, select Integrated Windows authentication and Digest authentication for Windows domain servers. Clear any other selections, and then click OK.
Note
After clicking Digest authentication for Windows domain servers, you might be prompted to confirm your choice. Read the text and then click Yes.
Click OK to close the Team Foundation Server Properties dialog box.
Note
If an Inheritance Overrides dialog box appears after clicking OK, click Select All, and then click OK.
Assigning the Certificate to Default Web Site
Follow these steps to set up HTTPS on the default Web site in IIS.
To set up HTTPS on the Default Web site and require SSL
On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand <computername> (local computer) and then expand Web sites.
Right-click Default Web Sites and then click Properties.
In Default Web Site Properties, click the Directory Security tab.
Under Secure Communications, click Server Certificate.
The Web Server Certificate Wizard appears. Click Next.
On the Server Certificate page, select Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate whose Friendly Name value is Team Foundation Server. You might have to scroll to see the Friendly Name column in the list. Click Next.
On the SSL Port page, accept the default value or enter a new value, and then click Next. The default port for SSL connections is 443.
Important
Make a note of the SSL port value. SSL port values must be different for each server certificate you install. For example, if you accept the default port value of 443 for the Team Foundation Server Web site, you must assign a different port value for the default Web site and the SharePoint Central Administration Web site.
Review the information about the Certificate Summary page and then click Next.
Click Finish. The wizard will close.
.On the Directory Security tab, under Secure Communications, click Edit.
In Secure Communications, select Require secure channel (SSL). Make sure that Ignore client certificates is selected, and then click OK.
On the Directory Security tab, under Authentication and access control, click Edit.
In Authentication Methods, make sure that the Enable anonymous access box is cleared. In Authenticated access, select Integrated Windows authentication and Digest authentication for Windows domain servers. Clear any other selections, and then click OK.
Note
After clicking Digest authentication for Windows domain servers, you might be prompted to confirm your choice. Read the text and then click Yes.
Click OK to close the Default Web Site Properties dialog box.
Note
If an Inheritance Overrides dialog box appears after clicking OK, click Select All, and then click OK.
Assigning the Certificate to SharePoint Central Administration
Follow these steps to set up HTTPS for SharePoint Central Administration.
To set up HTTPS for SharePoint Central Administration and require SSL
On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand <computername> (local computer) and then expand Web sites.
Right-click SharePoint Central Administration and then click Properties.
In SharePoint Central Administration Properties, click the Directory Security tab.
Under Secure Communications, click Server Certificate.
The Web Server Certificate Wizard appears. Click Next.
On the Server Certificate page, select Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate whose Friendly Name value is Team Foundation Server. You might have to scroll to see the Friendly Name column in the list.
Click Next.
On the SSL Port page, accept the default value or enter a new value, and then click Next. The default port for SSL connections is 443.
Important
Make a note of the SSL port value. SSL port values must be different for each server certificate you install. For example, if you accept the default port value of 443 for the Team Foundation Server Web site, you must assign a different port value for the default Web site and the SharePoint Central Administration Web site.
Note
Make a note of this value, as you will need it in order to assign the certificate to the SQL Report Server.
Review the information about the Certificate Summary page and then click Next.
Click Finish.
.On the Directory Security tab, under Secure Communications, click Edit.
In Secure Communications, select Require secure channel (SSL). Make sure that Ignore client certificates is selected, and then click OK.
Click OK to close the SharePoint Central Administration Properties dialog box.
Configuring Your Firewall to Allow SSL Traffic
You must configure your firewall to allow for traffic on the SSL ports you specified in IIS for the default Web site, the Team Foundation Server Web site, and the SharePoint Central Administration Web site.
Note
The procedures for configuring your firewall to allow for SSL traffic will vary depending on the firewall software and hardware that you use in your deployment.
To configure a firewall to allow for network traffic on the SSL ports that are used by Team Foundation Server
- See your firewall product documentation to determine the steps that are required to allow for network traffic on the SSL ports you specified for the default Web site, the Team Foundation Server Web site, and the SharePoint Central Administration Web site.
Updating the Web.Config File to Allow E-Mail Notification Alerts
If you have configured automatic e-mail notification alerts, follow these steps to modify the Web.Config file to allow these alerts to function correctly.
Note
If you do not use e-mail alerts in your Team Foundation Server deployment, you can skip this procedure.
To modify the Web.Config file for e-mail notification alerts
On the Team Foundation application-tier server, open a browser and open the drive**:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Web Services** directory.
Right-click the Web.Config file and then click Edit. If it is necessary, select an editor with which to modify the file.
In the Web.Config file, search for the TFSUrlPublic element. Uncomment the element and configure the appropriate values for your deployment. For example, if your company Web site was www.contoso.com and your deployment used the standard port for HTTP proxy, you would configure the key as follows:
<add key="TFSURLPublic" value=https://www.contoso.com:8081"/>
Save the file and close the file editor.
Updating the Registry Key for SQL Report Server
Follow these steps to update the registry for SQL Report Server so that reports are displayed correctly on the team project portal sites.
Warning
Incorrectly editing the registry may severely damage the system. Before you change the registry, you should back up any valued data on the computer.
To update the registry key for SQL Report Server
On the Team Foundation application-tier server, click Start, click Run, type regedit, and then click OK. Registry Editor opens.
In Registry Editor, expand HKEY_LOCAL_MACHINE, expand Software, expand Microsoft, expand Visual Studio, expand 8.0, expand Team Foundation, and then click ReportServer.
Right-click Key and then click Modify.
In the Edit String dialog box, in Value data, change the value to reflect the https address of your Team Foundation application-tier server, and then click OK. For example, if the name of your application-tier server is Contoso1, you would change the value of the data from:
https://Contoso1
to
https://Contoso1
Close Registry Editor.
Updating SQL Server Management Studio
Follow these steps to update SQL Server Management Studio with the https URL values for the Windows SharePoint Services and Reporting Services Web sites.
To update SQL Server Management Studio
On the Team Foundation data-tier server, open SQL Server Management Studio. To open SQL Server Management Studio, click Start, click All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
On the Connect to Server dialog box, select Database Engine for the Server type. Select the appropriate server name and authentication scheme for the server. Provide a valid user name and password if you are required to by your SQL Server installation, and then click Connect.
In Object Explorer, expand Databases, expand TfsIntegration, and expand Tables.
In Tables, right-click tbl_service_interface, and then click Open Table.
The dbo.tbl_service_interface table opens for editing.
In the table, under name, find ReportsService. Edit the entry for url to match the new https value for Reporting Services. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:
https://Contoso1:1443/ReportServer/ReportsService.asmx
In the table, under name, find BaseReportsUrl. Edit the entry for url to match the new https value for team reports. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:
https://Contoso1:1443/Reports
In the table, under name, find WSSAdminService. Edit the entry for url to match the new https value for Windows SharePoint Services. Make sure that you include the value that you specified for the SSL port for the SharePoint Central Administration Web site in IIS. For example, if you specified port 2443 for the SharePoint Central Administration Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:
https://Contoso1:2443/_vti_adm/admin.asmx
In the table, under name, find BaseServerUrl. Edit the entry for url to match the new https value for the default Web site for the Team Foundation application-tier server. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:
https://Contoso1:1443
In the table, under name, find BaseSiteUrl. Edit the entry for url to match the new https value for the default Web site for the Team Foundation application-tier server. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:
https://Contoso1:1443/sites
In the table, under name, find DataSourceServer. Edit the entry for url to match the new https value for the default Web site for the Team Foundation application-tier server. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:
https://Contoso1:1443/ReportServer
On the File menu click Save All.
Close SQL Server Manager.
Configuring Reporting Services for SSL Connections
Follow these steps to configure Reporting Services to require SSL.
To configure Report Server for SSL connections
On the Team Foundation application-tier server, click Start, click Programs, click Microsoft SQL Server 2005, click Configuration Tools, and then click Reporting Services Configuration.
In the Report Server Installation Instance Selection dialog box, make sure that the computer and instance names are correct, and then click Connect.
In the Explorer pane, click Report Server Virtual Directory.
In Report Server Virtual Directory Settings, select Require Secure Socket Layer (SSL) connections. In Require For, select 3 - All SOAP APIs. In Certificate Name, type the name of your Team Foundation application-tier, and then click Apply.
Close Reporting Services Configuration Manager.
Installing the Certificate on Build Servers
If you installed Build Services on one or more servers, you must install the certificate on each of those servers.
Note
In order to perform builds over SSL, the certificate must be installed in the trusted root store on both the build computer for the account on which the build service is running and the computer that initiates the build.
To install the certificate on build servers
Log on to the build server by using an account that is a member of the Administrators group on that computer.
Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:
https:// CertificateServer : port /services/v1.0/serverstatus.asmx
A security message dialog box appears. On Security Alert, click View Certificate.
On the Certificate dialog box, click the Certification Path tab.
In Certification path, click the certification authority. This should be the top node of the certification hierarchy, and there should be a red X next to the name. This indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store. Click View Certificate.
On the Certificate dialog box, click Install Certificate.
The Certificate Import Wizard opens. Click Next.
On the Certificate Store page, select Place all certificates in the following store, and then click Browse.
In Select Certificate Store, select Show physical stores. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.
On the Certificate Store page, click Next.
On the Completing the Certificate Import Wizard page, click Finish.
A Certificate Import Wizard dialog box might appear confirming that the import was successful. If the dialog box appears, click OK.
On the Certificate dialog box, click OK. The Certificate dialog box for the top node certification hierarchy will close.
On the Certificate dialog box, click OK. The Certificate dialog box for the subservient certificate will close.
On Security Alert, click No.
Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:
https:// CertificateServer : port /services/v1.0/serverstatus.asmx
The ServerStatus Web Service page should open. This confirms that you have installed the certificate and the certification authority correctly. Close the browser.
Installing the Certificate on Team Foundation Server Proxy Computers
If you installed Team Foundation Server Proxy on one or more computers, you must install the certificate on each of those computers.
To install the certificate on Team Foundation Server Proxy computers
Log on to the Team Foundation Server Proxy server by using an account that is a member of the Administrators group on that computer.
Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:
https:// CertificateServer : port /services/v1.0/serverstatus.asmx
A security message dialog box appears. On Security Alert, click View Certificate.
On the Certificate dialog box, click the Certification Path tab.
In Certification path, click the certification authority. This should be the top node of the certification hierarchy, and there should be a red X next to the name. This indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store. Click View Certificate.
On the Certificate dialog box, click Install Certificate.
The Certificate Import Wizard opens. Click Next.
On the Certificate Store page, select Place all certificates in the following store, and then click Browse.
In Select Certificate Store, select Show physical stores. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.
On the Certificate Store page, click Next.
On the Completing the Certificate Import Wizard page, click Finish.
A Certificate Import Wizard dialog box might appear confirming that the import was successful. If this dialog box appears, click OK.
On the Certificate dialog box, click OK. The Certificate dialog box for the top node certification hierarchy will close.
On the Certificate dialog box, click OK. The Certificate dialog box for the subservient certificate will close.
On Security Alert, click No.
Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:
https:// CertificateServer : port /services/v1.0/serverstatus.asmx
The ServerStatus Web Service page should open. This confirms that you have installed the certificate and the certification authority correctly. Close the browser.
Installing the Certificate on Client Computers
Every client computer that accesses Team Foundation Server must have the certificate installed locally. Additionally, if the client computer has previously accessed a Team Foundation Server team project, you must clear the client cache for every user who uses the computer to connect to Team Foundation Server before that user will be able to connect to Team Foundation Server.
Important
Do not follow this procedure for Team Foundation clients installed on the Team Foundation Server itself.
To install the certificate on Team Foundation client computers
Log on to the Team Foundation client computer by using an account that is a member of the Administrators group on that computer.
Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:
https:// CertificateServer : port /services/v1.0/serverstatus.asmx
A security message dialog box appears. On Security Alert, click View Certificate.
On the Certificate dialog box, click the Certification Path tab.
In Certification path, click the certification authority. This should be the top node of the certification hierarchy, and there should be a red X next to the name. This indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store. Click View Certificate.
On the Certificate dialog box, click Install Certificate.
The Certificate Import Wizard opens. Click Next.
On the Certificate Store page, select Place all certificates in the following store, and then click Browse.
In Select Certificate Store, select Show physical stores. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.
On the Certificate Store page, click Next.
On the Completing the Certificate Import Wizard page, click Finish.
A Certificate Import Wizard dialog box might appear confirming that the import was successful. If the dialog box appears, click OK.
On the Certificate dialog box, click OK. The Certificate dialog box for the top node certification hierarchy will close.
On the Certificate dialog box, click OK. The Certificate dialog box for the subservient certificate will close.
On Security Alert, click No.
Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:
https:// CertificateServer : port /services/v1.0/serverstatus.asmx
The ServerStatus Web Service page should open. This confirms that you have installed the certificate and the certification authority correctly. Close the browser.
To clear the cache on Team Foundation client computers
Log on to the Team Foundation client computer by using the user credentials of the user you want to update.
On the Team Foundation client computer, close all open instances of Visual Studio.
Open a browser and open the following folder:
drive :\Documents and Settings\ username \Local Settings\Application Data\Microsoft\Team Foundation\1.0\Cache
Delete the contents of the Cache directory. Make sure that you delete all subfolders.
Click Start, click Run, type devenv /resetuserdata, and then click OK.
Repeat these steps for every user account on the computer that accesses Team Foundation Server.
Note
You might want to consider distributing instructions on how to clear the cache to all of your Team Foundation Server users so that they can clear the cache for themselves.
See Also
Concepts
Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL)
Other Resources
Team Foundation Administration Walkthroughs
Securing Team Foundation Server with HTTPS and Secure Sockets Layer (SSL)