This document describes steps how to set SSL on Team Foundation Server and its client machines. Team Foundation Server machine and its clients Visual Studio 2005 applications must be installed before these steps.

Server machine, where Team Foundation Server resides is Widows 2003 Server SP1 with updates up to date 26.01.2006.

Team Foundation Server is RTM product, SQL Server 2005 RTM.

Also, server machine is not in domain, but it is in separate Workgroup and has direct connection to the Internet.

Certificates created in these steps are not official ones and they are used only for connection encryption.

2 Network Configuration

After Team Foundation Server is installed, do not change computer name!

In this document, we will following server name: “TFSServer”.

2.1 IP setup for Team Foundation Server Machine

A) Look for network adapter -> Properties -> Internet protocol (TCP/IP)...Properties

B) Set new computer fixed IP address that can be accessed from Internet

C) Set IP mask that marks IP range of the computer IP address

D) Set IP Gateway, IP DNS Server, IP DNS Server Alt as they are set on ISA

E) Turn on Windows Firewall: enable only ports 443, 8143, 17013,

F) On TFSServer test Internet connection by Ping.exe utility

2.2 IP Setup for Client Machines

From Intranet, ISA server (Firewall) must have opened outbound ports 443, 8143, 17013.

As client machines are in intranet, they are not able to convert the name of the server (TFSServer) into correct IP address. To avoid this problem, client machine must map server’s name TFSServer into IP address using LMHOSTS lookup:

A) Open C:\WINDOWS\system32\drivers\etc\hosts file and add line:
xxx.xxx.xxx.xxx [tab] TFSServer...where xxx.xxx.xxx.xxx is TFSServer IP address.

NOTE: You can import mapping at Network adapter -> Properties -> Internet protocol (TCP/IP)...Properties-> General (tab)->Advanced...->WINS (tab)->Import LMHOSTS...-> load text file with line: xxx.xxx.xxx.xxx [tab] TFSServer. Warning: last loaded lmhost file is going to be deleted!

B) To test it, on client machine open IE: http://TFSServer

3 Create and Install Certificates

3.1 Installation of the Certificate Service

Certificate Service is needed for SSL if no other certificate service is available for creation/assignment of the SSL certificate. You can install Certificate Service on the same Team System Server machine but it is recommended to install it on a separate machine. Following procedure assumes that the Certificate Service is installed on the Team System Server machine.

A) Control Panel->Add Programs->Add Windows Components->Certificate Service

B) Finish the installation ( Winows 2003 Server disk is necessary )

C) Use all defaults and for common name CA use server name: TFSServer

NOTE: Do not enable ASP because it is already done by prior Team System installation

3.2 Create a Site Certificate Request

Certificate request will be used at Certificate Service for creation of the new SSL certificate used for server sites; Default Web Site, SharePoint Central Admin and Team Foundation Server Site.

A) Open the Internet Service Manager Microsoft Management Console (MMC):
Start->Programs->Administrative Tools->Internet Service Manager

B) Double-click the server name so that you see all the Web sites.

C) Right-click the Web site where you want to install the certificate, click Properties.

NOTE: First, use it on Default Web Site. We shall assign the same certificate to the other sites SharePoint Central Administration Site and Team Foundation Server Site as well.

D) Click the Directory Security tab -> Server Certificate button

E) The Certificate Wizard starts. Click Next to continue:

I) Select Create a new certificate, and then click Next.

II) Select Prepare the request now, but send it later, and then click Next.

III) Type a name for your server side certificate, like TFS_Server_Crt, and then select a bit length (use 1024). Do not select the SGC Certificate check box. Click Next to continue.

IV) Type your organization name and the organizational unit (for example, company name and development department). Click Next.

V) For Common Name, type server name TFSServer. Click Next.

VI) Type your location information, and then click Next.

VII) Type the path and file name where you want to save the certificate information, and then click Next.

NOTE: If you type anything other than the default location and file name, make sure to note the name and location you selected, because you will have to access this file in the later steps.

VIII) Verify the information that you have typed, and then click Next to complete the process and create the certificate request.

IX) In the Completing the Web Server Certificate Wizard dialog box, click Finish.

3.3 Issue Certificate at Certificate Service

File that is created by the certificate request (3.2) will be used at Certificate Service for creation of the new SSL certificate used for TF server sites: Default Web Site, SharePoint Central Admin and Team Foundation Server Site.

A) Open the Certification Authority Microsoft Management Console (MMC) snap-in:
Start->Programs->Administrative Tools->Certification Authority.

B) Expand Certification Authority.

C) On the server node TFSServer right-click, All Tasks->Submit New Request and pick file created as the Certificate request (3.2)

D) Click the Pending Requests folder. Your pending certificate requests appear in the right pane. If not, refresh the list.

E) Right-click the pending certificate request (that is, the request that you submitted in the step 3.3.C ), select All Tasks, and then click Issue.

NOTE: After you select Issue, the certificate is not displayed in this window and folder. It now resides in the Issued Certificate folder.

F) Click the Issued Certificate folder. Right-click issued certificate, All Tasks-> Export Binary Data-> Binary Certificate, Save Binary Data to file.

NOTE: This file is server side certificate for your TFS sites.

3.4 Install Server Side Certificate

A) Open the Internet Services Manager, and then expand the server name so that you can view the Default Web Site.

B) Right-click the Default Web Site that you created the certificate request for, and then click Properties.

C) Click the Directory Security tab. Under Secure Communications, click Server Certificate. This opens the Certificate Installation Wizard. Click Next to continue.

D) Select Process the pending request and install the certificate, and then click Next.

E) Type the location of the certificate that you saved (3.3) and then click Next.

F) When the Wizard displays the certificate summary, verify that the information is correct (TFS_Server_Crt), and then click Next to continue.

G) Click Finish to complete the process.

H) Do not apply change for all sub virtual folders

I) For other two sites; SharePoint Central Admin and Team Foundation Server Site use similar process but at point d) use Assign an existing certificate and select TFS_Server_Crt certificate.

NOTE: At this point, you will see two certificates on the list TFS_Server_Crt and (possible name) TFSServer (issued for) and TFSServer (issued to) certificate. This second certificate is your "client certificate", certificate you will send to clients.

3.5 Create Client Side Certificate

At this point, client side certificate should already be installed at TFSServer Internet Explorer. This certificate is created when Certificate Service is installed.

A) To find it, start Internet Explorer on TFSServer. Open menu
Tools->Internet Options->Content (tab)->Certificates(tab)->Trusted Root Certification Authorities.

B) In the list, find TFSServer (issued for) and TFSServer (issued to) certificate. Export this certificate by selecting it and clicking the Export button. Use defaults (Next button, do not export private key), set name for export file to TFSServer_TFSServer.

C) Upload this file to server's Share Point (IE: http://TFSServer), Shared Documents

3.6 Install Client Side Certificate

On a client machine:

A) Download certificate from servers Share Point Shared Documents (IE: http://TFSServer), file TFSServer_TFSServer

B) Start Internet Explorer on TFSServer. Open menu
Tools->Internet Options->Content (tab)->Certificates(tab)->Trusted Root Certification Authorities->Import-> select file downloaded in (A)

C) Finish Wizard

NOTE: At the end, security warning will be shown. Press Yes button to install certificate.

4 Enabling TFS Server IIS Sites SSL

Right-click each web site in IIS: the Default Web Site, SharePoint Central Admin and Team Foundation Server Site and open site properties.

WARNING: Do not change any other properties!

4.1 Default Web Site Setup

4.2 Share Point Central Administration Site Setup

4.3 Team Foundation Server Site Setup

And at the ASP.NET tab, set the variables to point to the appropriate SSL port and server name.

4.4 Turn the SSL on

For each site: Default Web Site, Share Point Central Administration site and Team Foundation Server site, turn the SSL by checking the Properties->Directory Security (tab)->Secure communications->Require secure channel (check box) as shown on the picture

Only WEB roots must have this attributes set!

Be sure for all sub folders that the SSL setting is cleared (as in following picture).

4.5 Turn the SSL on for Reporting Services

Finally, turn on SSL for Report Service using Reporting Services Configuration:

Where “ServerCertName” is the name of the server certificate stored in “Trusted Root Certificate Store” on the TFSServer.

4.6 Set Team Foundation Server registration variables

A) If you have been connected to TFSServer using TeamExplorer you can find RegistrationEntries values in C:\Documents and Settings\[USER]\Local Settings\Application Data\Microsoft\Team Foundation folder in the
RegProxyFileCache.xml files (file per server). Save the file.

B) Create new Xml file (TFSReg.xml) based on following template (replace all strings TFSServer with target server name):

<?xml version="1.0" encoding="utf-8" ?>

<Type>Reports</Type>

<ChangeType>Change</ChangeType>

<Name>ReportsService</Name>

<Url>https://TFSServer/ReportServer/ReportService.asmx</Url>

</ServiceInterface>

<Name>BaseReportsUrl</Name>

<Url>https://TFSServer/Reports</Url>

</ServiceInterface>

<Name>DataSourceServer</Name>

<Url>https://TFSServer/ReportServer</Url>

</ServiceInterface>

</ServiceInterfaces>

</RegistrationEntry>

<ChangeType>Change</ChangeType>

<Name>WssAdminService</Name>

<Url>https://TFSServer:17013/_vti_adm/admin.asmx</Url>

</ServiceInterface>

<Name>BaseServerUrl</Name>

<Url>https://TFSServer</Url>

</ServiceInterface>

<Name>BaseSiteUrl</Name>

<Url>https://TFSServer/sites</Url>

</ServiceInterface>

<Name>BaseSiteUnc</Name>

<Url>\\TFSServer\sites</Url>

</ServiceInterface>

</ServiceInterfaces>

</RegistrationEntry>

</RegistrationEntries>

C) Register Xml variables using TFSReg.exe (you will find it on the server in the C:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Tools folder) as follows:

TFSReg.exe TFSReg.xml TFSServer

4.7 Correct server registry variables

A) Open registry editoru sing regedit.exe

B) Expand the key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ VisualStudio \ 8.0 \ TeamFoundation \ ReportServer
and
set "Key"="https://TFSServer"

4.8 Restart the server machine

4.9 Test connection from client machine

Please, do the following one at a time. Result pages must not have errors and must not be blank:

A) Open in IE: https://TFSServer

B) If the team system project exists try: open IE: https://TFSServer/sites/TSProject

C) Open in IE: https://TFSServer:17013/_vti_adm/admin.asmx

D) Open in IE: https://TFSServer:8143/VersionControl/v1.0/Repository.asmx

E) Start Microsoft Visual Studio 2005...

Tools->Connect To Team Foundation Server->Add..

Set name: TFSServer, port: 8143 and protocol: https... Press OK button and Select Team projects.

After the Team Explorer finishes loading the tree, check whether the project's sub items (Work Items, Documents, Reports and Team Builds) can be expanded.

5 Notes

· At the end, you can close port 80 at Team Foundation Server machine

· On the client machine you reset Visual Studio 2005 settings using "devenv.exe /resetuserdata" command argument

or alternatively

clean the folder C:\Documents and Settings\[USER]\Local Settings\Application Data\Microsoft\Team Foundation

and

reset Team Foundation Servers list at registry key:

HKEY_CURRENT_USER \ Software \ Microsoft \ VisualStudio \ 8.0 \ TeamFoundation \ Servers