Share via


Team Foundation Server Security Architecture

To analyze and plan for Team Foundation Server security, you must consider the Team Foundation application tier, the Team Foundation data tier, the Team Foundation client tier, Team Foundation Build, Team Foundation Server Proxy, and the interactions between these entities. You will have to know what Web services, databases, and object models are used. Also, you must know which network ports and protocols are used by default, and which network ports are customizable.

Besides its own services, Team Foundation Server depends on other services in order to function. For more information about Team Foundation Server dependencies, see Team Foundation Server Security Concepts.

Object Model

Team Foundation Server includes an object model that enables communication between the Team Foundation client tier and the Team Foundation application tier. This object model also enables software integrators and third parties to customize and extend Team Foundation Server functionality.

Team Foundation Server Object Model

The Team Foundation Server object model is a set of managed APIs that include the following interfaces.

  • Team Foundation Common Services

    • Registration service

    • Security service

    • Linking service

    • Eventing service

    • Classification service

  • Version Control Object Model

  • Work Item Tracking Object Model

  • Team Foundation Build Object Model

The Team Foundation Server object model is publicly documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.

Web Services and Databases

Team Foundation Server includes a set of Web services and databases. These services and databases are installed and configured separately on the Team Foundation application tier, data tier, and client tier. The following figures provide a high-level view of Web services, applications, and databases on Team Foundation Server and on client computers.

Server architecture diagramClient architecture diagram

Application Tier

The Team Foundation application tier contains the following ASP.NET Web services that correspond to respective proxies or object models on the client tier. These Web services are not intended for third-party integrators to program against. One exception to this policy is the MSBuild Web service that is documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.

  • Team Foundation Common Services

    • Registration Web service

    • Security Web service

    • Linking Web service

    • Eventing Web service

    • Classification Web service

  • Version Control Web service

  • Work Item Tracking Web service

  • Team Foundation Build Web service

Data Tier

The Team Foundation data tier consists of the following operational stores within SQL Server 2005. This includes data, stored procedures, and other associated logic. These operational stores are not generally intended for third-party integrators to program against.

  • Work item tracking

  • Version control

  • Team Foundation Common Services

  • Team Foundation Build

  • Reporting warehouse

Client Tier

The client tier uses the same Web services listed in the application tier to communicate with the Team Foundation application tier. It communicates through the Team Foundation Server object model. Besides the Team Foundation Server object model, the Team Foundation client tier consists of Visual Studio Industry Partners (VSIP) components, Microsoft Office integration, command-line interfaces, and a check-in policy framework for integration with Team Foundation Server and customized integration. For more information about how to extend and customize the client tier, see the extensibility documentation in the Visual Studio SDK.

Team Foundation Server Configuration Information

Because Team Foundation Server depends on SQL Server, SQL Server Reporting Services, Internet Information Services (IIS), the Windows operating system, and Windows SharePoint Services, configuration information for Team Foundation Server is stored in five locations:

  • Internet Information Services (IIS) data stores - Team Foundation application tier

  • Team Foundation Server configuration files (web.config, proxy.config) - Team Foundation application tier

  • SQL Server Reporting Services data sources (for example, TFSREPORTS data) - Team Foundation application tier

  • Team Foundation Server integration database - Team Foundation data tier

  • Windows Registry - Team Foundation application, data, and client tiers

When maintaining an Team Foundation Server deployment, you must take these configuration sources into account. To change the configuration in any way, you must modify information that is stored in multiple locations on the application tier. You must also change configuration information on the data and client tiers. Team Foundation Server includes a number of command-line utilities to help you make these changes. However, in some cases you need to make manual changes as well.

Synchronization of Group Identities Between Active Directory and Team Foundation Server

In deployments where Team Foundation Server is running in an Active Directory domain, group and identity information is synchronized when any of the following events occur:

  • The application-tier server for Team Foundation starts.

  • An Active Directory group is added to a group in Team Foundation Server.

  • The amount of time specified in the web.config file elapses. (The default is 1 hour.)

Active Directory synchronizes with Generic Security Services (GSS), which then synchronizes with Team Foundation Server. Changed identities are propagated from the server to the clients. Depending on the synchronization interval configured in the web.config file and the nature of the change to groups and users, it might take some time for changes to Active Directory users and groups to be reflected across Team Foundation Server.

Groups and Permissions

Team Foundation Server has its own set of default groups. Also, it has permissions that you can set at multiple levels. You can create custom groups and customize permissions at group and individual levels. However, when you add a user or group to Team Foundation Server, that user or group is not automatically added to two components on which Team Foundation Server depends: Windows SharePoint Services and SQL Server Reporting Services. You must add users and groups to those programs and grant the appropriate permissions before those users or groups will function correctly across all Team Foundation Server operations. For more information, see Managing Users and Groups, Managing PermissionsWindows SharePoint Services Roles and SQL Server Reporting Services Roles.

Network Ports and Protocols

By default, Team Foundation Server is configured to use specific network ports and network protocols. The following diagram illustrates Team Foundation Server network traffic in an example deployment.

Ports and communications diagram

Default Network Settings

By default, communication between the Team Foundation application tier, the Team Foundation data tier, build computers, and the Team Foundation Server proxy, use the protocols and ports in the following list. If an asterisk (*) follows the port number, you can customize that port.

Service and Tier

Protocol

Port

Application tier – Web Services

HTTP

8080

Application tier – Windows SharePoint Services Administration

HTTP

17012* (if installed with Team Foundation Server); otherwise randomly generated

Application tier – Windows SharePoint Services and SQL Reporting Services

HTTP

80

Build computer – remote access from Team Foundation application-tier server

SOAP over HTTP

9191*

Data tier

MS-SQL TCP

1443*

Team Foundation Server Proxy: client to proxy

HTTP

8081*

Team Foundation Server Proxy: proxy to application tier

HTTP

8080*

Client tier - reporting Services

HTTP

80

Client tier - Web services

HTTP

8080*

Customizable Network Settings

You can modify Team Foundation Server to use some custom ports. You can change communication between the application tier, the data tier, and the client tier, as noted in the previous table. As an example, the following table describes changes in ports from HTTP to HTTPS.

Note

Configuring Team Foundation Server to use HTTPS and SSL is a complex task that involves much more than enabling ports for HTTPS network traffic. For more information, see Securing Team Foundation Server with HTTPS and Secure Sockets Layer (SSL).

Service and Tier

Protocol

Port

Application tier – Web Services with SSL

HTTPS

Configured by the administrator

Application tier – Windows SharePoint Services Administration

HTTPS

Configured by the administrator

Application tier – Windows SharePoint Services and SQL Reporting Services

HTTPS

443

Client tier - reporting Services

HTTPS

443

Client tier - Web Services

HTTPS

Configured by the administrator

See Also

Concepts

Team Foundation Server Security Concepts

Team Foundation Server Permissions

Other Resources

Team Foundation Server Topologies