Tips for Setting Up TFS with SSL

I recently made it through the process of enabling SSL on a TFS instance. Every component is communicating securely now including the build agent and SharePoint Central Administration. It wasn't easy, though. The MSDN walkthrough of the process is missing some steps. If you're having trouble configuring your environment to use HTTPS, check out the following tips and lessons learned.
  • If your certificates are issued used a fully-qualified domain name (FQDN), you must specify the secure URLs using the FQDNs.
  • As you go through the process, verify the individual components of TFS are functioning correctly using HTTPS both on the several AND externally. If Reporting Services isn't working, TFS doesn't have a chance. The walkthrough gets this out of order, having you reconfigure RS after reconfiguring the team projects and TFS connections. If something went wrong, now you're pointed to an RS instance that doesn't work. Get RS configured to require SSL and test it using the Report Manager web interface. The same goes for SharePoint. Make sure you can access any existing team sites via SSL as well as create standalone sites under the TFS site collection.
  • SharePoint will continue to redirect from secure communications to good ole vanilla HTTP unless Alternate Access Mappings have been created. These can be set up within SharePoint Central Administration. Just go to the Operations tab and click on Alternate Access Mappings under the Global Configuration section. Add internal Intranet URLs for the Default Web Site as well as the Central Administration site.

  • You'll need a separate certificate for each build machine. You cannot use the same certificate used on the application tier machine. A build machine can still support multiple secure build agents with one certificate, as well.
Hopefully, these tips will help you get your TFS environment running securely. If anyone has other lessons learned from their experience with setting up TFS over HTTPS, let me know and I'll update this post.

UPDATE: The TFS global support team has posted an entry on their blog with an updated walkthrough for setting up TFS for HTTPS / SSL. It's funny knowing that my experiences at a recent client precipitated this update.


No comments: