Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL)

  • Article

Team Foundation Server provides services through a collection of Web services hosted on the Team Foundation application tier. By default, these Web services are configured to use HTTP. You can configure Team Foundation Server to use HTTPS with Secure Sockets Layer (SSL) for additional security for these Web connections.

Configuring Team Foundation Server to use HTTPS and SSL has advantages for businesses that have increased security requirements. However, this approach also has some disadvantages, especially if you configure Team Foundation Server to use HTTPS and SSL only. In addition, Team Foundation Server has some limitations in how you can configure it.

Important

If you configure Team Foundation Server to use HTTPS and SSL or any customized ports, you will not be able to install any service packs for Team Foundation Server after you make those changes. Installation of service packs will fail. You must reconfigure Team Foundation Server to its default settings before you can apply service packs for Team Foundation Server.

Advantages of Configuring Team Foundation Server to Use Both HTTP and HTTPS with SSL

Allowing for both HTTP and HTTPS with SSL connections for Web connections is less secure than restricting connections to use HTTPS with SSL only. However, this approach also has the following advantages:

  • Easier configuration and maintenance.

  • Increased performance over HTTPS with SSL only, as Web-service to Web-service calls can use HTTP, which has less of a performance impact than HTTPS with SSL.

  • Less restricted access to internal Web sites.

Advantages of Configuring Team Foundation Server to Use HTTPS with SSL Only

Requiring HTTPS with SSL is the most secure deployment option for Team Foundation Server. All Web connections between the Team Foundation data tier, Team Foundation application tier, and Team Foundation client tier require certificates. Communication between all the tiers is secure. Requiring HTTPS with SSL includes the following advantages:

  • Increased security because all connections to the Team Foundation application tier are secured.

  • Automatic control over access because you can configure certificates to expire at the projected end of a project phase.

Disadvantages to Configuring Team Foundation Server to Use HTTPS with SSL

If you configure Team Foundation Server to use HTTPS with SSL, you must also configure and manage a certification authority (CA) and certificate trusts. Although Windows Server 2003 includes Certificate Services, you might not want to invest the time and resources required to deploy a secure public key infrastructure (PKI). For more information about public key infrastructures, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=70930).

In addition to maintaining a certification authority, you must also configure Team Foundation Server to use HTTPS with SSL, which is a complex task. You will have to set aside the time and resources required to configure and test your deployment of Team Foundation Server after you configure it to use HTTPS and SSL.

Configuring Team Foundation Server to use HTTPS with SSL also includes the following disadvantages:

  • In environments that use both HTTP and HTTPS with SSL, allowing the HTTP connections might allow external connections that are not encrypted if the Team Foundation application tier is not appropriately secured.

  • In environments that use HTTPS with SSL only, performance will be slower.

  • In environments that use HTTPS with SSL, troubleshooting problems with Team Foundation Server is more complex.

Limitations

If you configure Team Foundation Server to use HTTPS and SSL or any customized ports, you will not be able to install any service packs for Team Foundation Server after you make those changes. Installation of service packs will fail. You must reconfigure Team Foundation Server to its default settings before you can apply service packs for Team Foundation Server.

Team Foundation Server without Service Pack 1 (SP1) supports Integrated Windows Authentication only. It does not support Basic or Digest authentication. Therefore, Team Foundation Server does not support secure external connection scenarios on its own. However, you can deploy Team Foundation Server in an environment that supports virtual private network (VPN) connections. A remote client can make a VPN connection to the network where Team Foundation Server is deployed and then connect to Team Foundation Server as usual.

Team Foundation Server with SP1 can support Basic and Digest authentication. By configuring your Team Foundation Server deployment to use HTTPS with SSL and Basic or Digest authentication, you can support external connections to your deployment of Team Foundation Server without having to use a VPN connection.

See Also

Tasks

Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL)
How to: Configure Team Foundation Server for HTTPS and SSL Only

Concepts

Team Foundation Server Security Architecture
Team Foundation Server, Basic Authentication, and Digest Authentication