Introduction
To analyze and plan for Team Foundation Server security, you must consider the Team Foundation application tier, the Team Foundation data tier, the Team Foundation client tier, and the interactions between them. You will have to know what Web services, databases, and object models are used. You will also have to know what network ports and protocols are used by default, and which ones are customizable.
In addition to its own services, Team Foundation Server depends on other services in order to function. For more information about Team Foundation Server dependencies, see Team Foundation Server Security Concepts.
Object Model
Team Foundation Server includes an object model that enables communication between the Team Foundation client tier and the Team Foundation application tier. This object model also enables software integrators and third parties to customize and extend Team Foundation Server functionality.
Team Foundation Server Object Model
The Team Foundation Server Object Model is a set of managed APIs that include the following interfaces.
· Team Foundation Common Services
· Registration service
· Security service
· Linking service
· Eventing service
· Classification service
· Version Control Object Model
· Work Item Tracking Object Model
The Team Foundation Server object model is publicly documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.
Web Services and Databases
Team Foundation Server includes a set of Web services and databases. These services and databases are installed and configured separately on the Team Foundation application tier, data tier, and client tier. The following figures briefly illustrate Web services, applications, and databases on Team Foundation Server and on client computers.
Application-tier
The Team Foundation application-tier contains the following ASP.NET Web services that correspond to respective proxies or object models on the client tier. These Web services are not generally intended for third-party integrators to program against, with the except for the Team Build Web service, which is documented in the Team Foundation Server extensibility documentation in the Visual Studio SDK.
· Team Foundation Common Services
· Registration Web service
· Security Web service
· Linking Web service
· Eventing Web service
· Classification Web service
· Version Control Web service
· Work Item Tracking Web service
· Team Build Web service
Data-tier
The Team Foundation data-tier consists of the following operational stores within SQL Server 2005. This includes data, stored procedures, and other associated logic.
· Work item tracking
· Version control
· Team Foundation Common Services
· Team Build
· Reporting warehouse
Client-tier
The client tier uses the same Web services listed in the application tier to communicate with the Team Foundation application-tier, through the Team Foundation Server object model. Besides the Team Foundation Server object model, the Team Foundation client-tier consists of Visual Studio Industry Partners (VSIP) components, Microsoft Office integration, command-line interfaces, and a check-in policy framework for integration with Team Foundation Server and customized integration. For more information about how to extend and customize the client tier, see the extensibility documentation in the Visual Studio SDK.
Network Ports and Protocols
By default, Team Foundation Server is configured to use specific network ports and network protocols. The following diagram illustrates Team Foundation Server network traffic in an example deployment.
Default Network Settings
By default, communication between the Team Foundation application tier, the Team Foundation data tier, build servers, and the Team Foundation Server proxy use the protocols and ports in the following list.
Service and Tier |
Protocol |
Port |
Application Tier – Web Services |
HTTP |
8080 |
Application Tier – Windows SharePoint Services Administration |
HTTP |
This port is randomly generated during Windows SharePoint Services setup. |
Application Tier – Windows SharePoint Services and SQL Reporting Services |
HTTP |
80 |
Build Server – Remote Access from Team Foundation application-tier server |
.NET Remoting |
9191 |
Data Tier |
MS-SQL TCP |
1443 |
Data Tier |
MS-SQL UDP |
1444 |
Team Foundation Server Proxy |
HTTP |
8080 |
Client Tier – Reporting Services |
HTTP |
80 |
Client Tier – Web Services |
HTTP |
8080 |
Customizable Network Settings
You can choose to modify Team Foundation Server to use HTTPS and Secure Socket Layer (SSL) instead of HTTP for Web Services and Microsoft SQL Reporting Services. Communication between the application tier, the data tier, and the client tier would change as described in the following table.
Service and Tier |
Protocol |
Port |
Application Tier – Web Services with SSL |
HTTPS |
Configured by the Administrator |
Application Tier – Windows SharePoint Services Administration |
HTTPS |
Configured by the Administrator |
Application Tier – Windows SharePoint Services and SQL Reporting Services |
HTTPS |
443 |
Client Tier – Reporting Services |
HTTPS |
443 |
Client Tier – Web Services |
HTTPS |
Configured by the Administrator |
For more information about how to configure Team Foundation Server to use HTTPS and SSL, see Walkthrough: Setting up Team Foundation Server with Secure Socket Layer (SSL).
See Also
Team Foundation Server Security Concepts
Walkthrough: Setting up Team Foundation Server with Secure Socket Layer (SSL)
Team Foundation Server Topologies
Team Foundation Server Permissions
0 comments