Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL)
Team Foundation Server provides services through a collection of Web services hosted on the Team Foundation application tier. By default, these Web services are configured to use HTTP. You can configure Team Foundation Server to use HTTPS with Secure Sockets Layer for additional security for these Web connections.
Configuring Team Foundation Server to use HTTPS and SSL has advantages for businesses with increased security requirements. However, it also has some disadvantages, especially if you configure Team Foundation Server to use HTTPS and SSL only. In addition, how you configure Team Foundation Server to use HTTPS and SSL affects the ability to service your Team Foundation Server deployment, such as applying service packs. You should review the advantages and disadvantages carefullyso that you can choose the best configuration for your business needs.
Advantages of Configuring Team Foundation Server to Use Both HTTP and HTTPS with SSL
Although allowing for both HTTP and HTTPS with SSL connections for Web connections is less secure than restricting connections to use HTTPS with SSL only, it also has some advantages. These advantages include the following:
Easier configuration and maintenance of Team Foundation Server.
Increased performance over HTTPS with SSL only, as Web service to Web service calls can use HTTP, which has less of a performance impact than HTTPS with SSL.
Internal Web site access is less restricted.
Advantages of Configuring Team Foundation Server to Use HTTPS with SSL Only
Requiring HTTPS with SSL is the most secure deployment option for Team Foundation Server. All Web connections between the Team Foundation data tier, Team Foundation application tier, and Team Foundation client tier require certificates. Communication between all the tiers is secure. The advantages to requiring HTTPS with SSL include the following:
Increased security because all connections to the Team Foundation application tier are secured.
Automatic control over access because you can configure certificates to expire at the projected end of a phase of a project.
Disadvantages to Configuring Team Foundation Server to Use HTTPS with SSL
Configuring Team Foundation Server to use HTTPS with SSL might present problems when you attempt to install service packs during the operational lifetime of Team Foundation Server. Depending on your deployment needs, you might have to reconfigure Team Foundation Server to use HTTP before you can successfully apply service packs or other updates. Configuring Team Foundation Server to use HTTPS with SSL also means configuring and managing a certification authority (CA) and certificate trusts. Although Windows Server 2003 includes Certificate Services, you might not want to invest the time and resources required to deploy a secure public key infrastructure (PKI). For more information about public key infrastructures, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=70930).
In addition to maintaining a certification authority, configuring Team Foundation Server to use HTTPS with SSL is a complex task. You will have to set aside the time and resources required to configure and test your Team Foundation Server deployment after you configure it to use HTTPS and SSL.
Other disadvantages to configuring Team Foundation Server to use HTTPS with SSL include the following:
In environments that use both HTTP and HTTPS with SSL, allowing the HTTP connections might allow external connections that are not encrypted if the Team Foundation application tier is not appropriately secured.
In environments that use HTTPS with SSL only, performance will be slower.
In environments that use HTTPS with SSL, troubleshooting problems with Team Foundation Server is more complex.
See Also
Tasks
Walkthrough: Setting up Team Foundation Server to Require HTTPS and Secure Sockets Layer (SSL)
Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL) and an ISAPI Filter
Concepts
Team Foundation Server Security Architecture
Team Foundation Server, Basic Authentication, and Digest Authentication