none
Proxy Configuration for Dummies

    Question

  • Hi,

    my coworker and I just can't get the proxy setup straight. I started a test setup where I have one TFS and one client. The client can connect directly to the TFS without a problem, now I want to do the same, but use a proxy (we will later do this between remote locations with a slow connection). I have some really basic questions and I guess I just did not understand how exaclty the proxy works.

    a) Where do I have to install the proxy portion (the setup in the proxy folder on the TFS CD)? I assume that this goes on the machine that is the client to the actual TFS server. Like this:
    TFS Server ----WAN connection---- Proxy &Client (VS2k5) on same PC
    Correct ?

    b) In the proxy.config file, is it correct to enter the name of the actual TFS Server, such as this:
        <Servers>
            <Server>
                <Uri>http://TFS-SERVER/VersionControl</Uri>
            </Server>
        </Servers>
    Correct ?

    c) Now in VisualStudio, to which TFS do I need to connect ? I understand it as that I need to connect to the PC where the proxy is, which in my case would be "localhost". I told the local proxy that it should connect to the real TFS Server, which I specified in the proxy.config.
    Correct ?

    Well, if I do this I always get two errors in the VS client. TF31001 and TF30059 / HTTP503.
    In my current test setup both PCs are in the same domain and I log on with the same account. So there should be no rights issue.

    I am pretty much sure I do something wrong. Is there any place where I can find "TFS Proxy for Dummies" instructions? I find the supplied documentation from Microsoft not very helpful.

    Thanks in advance!

     

     

     

     

    Friday, March 31, 2006 7:44 PM

Answers

  • The proxy isn't quite what you've guessed.

    The proxy is intended to run on a separate machine (from both the server and the client(s)), and improves version control download operations by caching files as they're requested. (Side note: The AT has a built-in 'proxy' file cache, so you don't need to install the proxy on the AT or anything like that)

    So, the configuration looks more like this:

    TFSServer --- WAN connection --- proxy server --- LAN connection --- client(s)

    Basically, you want a machine with IIS and a decent hard disk to serve as the proxy on the client's side of the slow connection(s).

    a) There's little point to installing the proxy on the client itself - the workspace can be thought of as the local 'cache' of version control data.

    b) Correct, but the URL node includes the proxy's port as well (typically 8081 in our install, but configurable at proxy install time)

    c) In the Connect to TFS dialog, you enter the server. In Tools/Options/Source Control/Team Foundation Server, you'd enter the name and port of the proxy machine.

    Try that setup, and let me know if you have problems or additional questions.

    Also, note that the proxy can service multiple servers (as you probably surmised from the config file structure); but your client can only point at a single proxy at a time. We may overhaul this configuration in a future release, based on customer feedback (internally, we've already observed that for mobile clients like laptops, being able to easily choose a different proxy or no proxy for a given server, would be nice).

    Friday, March 31, 2006 8:17 PM
    Moderator

All replies

  • The proxy isn't quite what you've guessed.

    The proxy is intended to run on a separate machine (from both the server and the client(s)), and improves version control download operations by caching files as they're requested. (Side note: The AT has a built-in 'proxy' file cache, so you don't need to install the proxy on the AT or anything like that)

    So, the configuration looks more like this:

    TFSServer --- WAN connection --- proxy server --- LAN connection --- client(s)

    Basically, you want a machine with IIS and a decent hard disk to serve as the proxy on the client's side of the slow connection(s).

    a) There's little point to installing the proxy on the client itself - the workspace can be thought of as the local 'cache' of version control data.

    b) Correct, but the URL node includes the proxy's port as well (typically 8081 in our install, but configurable at proxy install time)

    c) In the Connect to TFS dialog, you enter the server. In Tools/Options/Source Control/Team Foundation Server, you'd enter the name and port of the proxy machine.

    Try that setup, and let me know if you have problems or additional questions.

    Also, note that the proxy can service multiple servers (as you probably surmised from the config file structure); but your client can only point at a single proxy at a time. We may overhaul this configuration in a future release, based on customer feedback (internally, we've already observed that for mobile clients like laptops, being able to easily choose a different proxy or no proxy for a given server, would be nice).

    Friday, March 31, 2006 8:17 PM
    Moderator
  • Thank you for this quick and helpful reply.

    I did spawn a new question though:
    One the proxy box, do I need to install a full-fledged TFS as well or only the proxy portion ?

    Could I potentially run a local TFS and a proxy for a remote TFS on the same box ? If yes, how to do figure out to which TFS I am connected as the client will point in both cases to the same PC.
    Or asked a bit differently, how to do figure out if I am connected to a TFS through a proxy or directly ?

    Uhhh...and one more question, does domain association play any role? If I understand correctly, the data transfer is done exclusively via HTTP (and why HTTP and not FTP, which tends to be better for file transfers?), so different domains ought not to be a problem - correct ?

    Thanks for undummying me.

     

    Friday, March 31, 2006 8:55 PM
  • You only need the proxy on the proxy box.

    You could (theoretically) put a proxy for a remote TFS on the same box as a local TFS, but keep in mind that those two servers have no real relationship; the client can talk to either or both servers but the servers won't share data in any way.

    The only way to tell if you're connecting through the proxy is to first ensure you've configured it on the client, and then to attempt a download -- you'll get a warning that the proxy isn't responding if the proxy isn't working for some reason.

    Cross-domain can definitely be an issue - if the proxy and server are in different domains without mutual trust, the server probably won't be able to authenticate the proxy.

    HTTP is preferred to FTP because the communication is implemented as a web service, using the existing SOAP over HTTP infrastructure. FTP may be better for the pure exchange of files; but given the variety of operations that are going on, doing the actual file downloads in a similar fashion made sense compared to inventing/managing a separate channel for file transfers.

    Friday, March 31, 2006 9:25 PM
    Moderator
  • For more details about the Proxy config file refer  http://msdn2.microsoft.com/en-us/library/ms400679(VS.80).aspx

    After installing proxy on a seperate machine, Perform the following steps

    Update proxy.config  (on the proxy machine)

    Open Windows Explorer and navigate to the Proxy Install directory
     (For example, C:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Web Services\VersionControlProxy).
    Using Notepad, open proxy.config.


    Locate the following token and make the appropriate substitution, save and close the file.
    Replace @H_TFSSERVER@/VersionControl with

    http://<YOUR TFS SERVER NAME>:8080/VersionControl 

                      
    Direct Client to Proxy

    Perform the following steps on the client machine

    1. Open VS
    2. Go to Tools -> Options -> Source Control -> Visual Studio Team Foundation Server
    3. Check “Use proxy server”
    4. Server name is <ProxyTierMachine>
    5. Port is 8081
    6. Click OK

     
    Once you are done with these steps,

    Perform a “Force” get on a file from source control explorer.  Errors (if any) from proxy will be displayed in the output window. If there are no errors then you should see some new folders and files under “%program Files%\Microsoft Visual Studio 2005 Team Foundation Server\Web Services\VersionControlProxy\Data\<guid>” on the proxy machine.

    Also you can navigate to http://localhost:8081/VersionControlProxy/v1.0/ProxyStatistics.asmx using IE on the proxy server and see whether non-zero values are displayed for the performance counters

     

    For  more information about Team Foundation Server Proxy configuration, visit the following topic 'How to enable source control caching after installing Team Foundation Server Proxy' in the Team Foundation Administrators guide located online at
    http://go.microsoft.com/fwlink/?linkid=62391 or in the product documentation.

    For more information about Team Foundation Server Proxy installation, see the Team Foundation Installation Guide located online at http://go.microsoft.com/fwlink/?linkid=40042 or the TFSInstall.chm file included with the product.

    Rajesh

     

    Friday, March 31, 2006 10:41 PM
  • OK, first of all, thank you very much for all your good tips.

    I uninstalled everything TFS and installed only the TFS Proxy on the proxy box. I changed the proxy.config file and then started VS on a different PC.

    I changed the TFS settings to use the proxy and entered the name of the proxy box and set the port to 8081.

    After some problems, I finally found the source control explorer. With that one up on the screen I cannot do more than turn the folder pane on and off and click on Refresh. When I click Refresh VS tells me to connect to a TFS. Ahem, and now ?

    I did try adding the proxy box data into the "Add Team Foundation Server" dialog, but neither http nor https on 8080 or 8081 did anything useful. I do get eventually a error TF 31002 "Unable to connect to this Team Foundation Server".

    Do I need to add anything in that dialog ? The Server list is empty though, but since I told VS to use a proxy and gave all there is to enter in the in the options, I'd expect to see that proxy server or the "real" TFS to show in the server list. I did restart VS and that did not do anything either. I could also not find any "Force" option in the source control explorer. I was also not able to find anything about a "Force" option in the documentation. Maybe it is called something else in VS ?

    One the proxy box, the data folder is still empty.

    <rant> I looked at the documentation again, which still is causing more confusion than giving answers. This whole TFS / proxy stuff is severely disturbing and confusing and I wonder if there wasn't a way to make it both easier and working right from the start. Do we always have to wait for SP4 to come around first ?</rant>

    Is there any way I can figure out if the proxy has any chance of getting something from the "real" TFS ? Any web page I can open and simulate a proxy or client for that TFS ? If the proxy cannot connect to the main server, then the client will not be able to get anything out of the proxy either.

    I did test it with my local "test" TFS, but that went the same way - nowehere.

    I also checked the statistics page. After waiting for a fairly long time I get a page that lists one option "QueryProxyStatistics". Clicking that link gives some page that has a section with an "Invoke" button at the top and two SOAP samples, one for 1.1 and one for 1.2. I did a text search on "performance" as well as "counter", both did not turn up anything. Where on that page would I see the performance counter value ?

    I also never know when to add the "http://" in front of the proxy server or TFS server name. Does any of that use https by default ? If not, then I can save myself some time testing that option each time.

    Seems you guys need to dumb it down for me a bit more.

    Monday, April 03, 2006 6:10 PM
  • I did try adding the proxy box data into the "Add Team Foundation Server" dialog, but neither http nor https on 8080 or 8081 did anything useful. I do get eventually a error TF 31002 "Unable to connect to this Team Foundation Server".

    You need to type the name of the Team Foundation Server (aka the "app tier"), not the proxy.  Put the proxy info in Tools -> Options -> Source Control instead.

    I could also not find any "Force" option in the source control explorer. I was also not able to find anything about a "Force" option in the documentation. Maybe it is called something else in VS ?

    Once you're connected to a TFS, you can rightclick on items in Source Control Explorer and choose Get Specific Version.  One of the options on that dialog is "force get."  You can also use tf get /force from the command line.  Both of these are covered in the documentation & in the walkthroughs.
    Monday, April 03, 2006 7:07 PM
    Moderator
  • Sorry for not finding it in the documentation. I did a search and it did not turn up anything that seemed related to this. I believe you that it is there and easy to find when one know where to look for it.

    Anyhow, I entered the server addresses as proposed and I got one step closer. Rather than an error message I get a login box, in which I entered user name and password for the TFS. I still get the TF31002 error.

    I used IE to connect to http://10.144.61.227:8080/services/v1.0/registration.asmx , where the IP is that of the TFS server. I do get the registration page after using the same user name and password that I entered in VS. That makes me believe that it is not a user name or password problem.

    One more question:
    Chris Rathjen mentioned that cross-domain connection can be an issue. I wonder though why that is when all connections are done via HTTP and I apparently can log on to the registration site ? I will have our IT guys check the domain trust settings.

    Besides that, I'm always open for more suggestions....

    Thank you very much in advance.

    Monday, April 03, 2006 9:00 PM
  • No problem -- I should apologize for that crazy small text -- no idea why the forum does that...

    Cross-domain trust comes into play because we use Integrated Windows Authentication.  That means by default, we try to authenticate as the current Windows user.  Only if that fails will you get the login prompt.
    Monday, April 03, 2006 9:30 PM
    Moderator
  • The text is small, but I copied it into notepad, so it was not a problem in the end.

    Some more problems that came in, but that do not have their source in TFS. IT stuck the Cisco Security Agent on my proxy box. More out of desperation, I started looking through all kinds of logs and the system events (should have looked the earlier!). Turns out that this Cisco thingie blocks the execution of C:\Windows\system32\inetsrv\w3wp.exe. I did tell Cisco to run it anyway, but I cannot sit in fron of the proxy box and click Yes every time this message pops up....and who knows what else it blocked that it did not tell me about. I have our IT group fix this.

    Another issue that came to my attention that twisted the whole picture quite a bit. The "real" TFS is not in a domain (and the box is in Germany, which does not make it easier). The TFS is part of a simple workgroup as there is no domain server at that location.

    Maybe I need to look at these things first before trying to redo installations and configurations over and over again.

    So the questions is, is there any chance to have a proxy who is in a domain successfully authenticate with a TFS that is in a workgroup ?

     

    Tuesday, April 04, 2006 2:11 PM
  • You can try having the proxy run under an account that maches a machine account on the server (which has Valid User permissions). Then you'll just have to sort out what accounts to have your end users accessing both machines with...

    I'd generally shy away from trying to have a mix of domain and workgroup machines - if at all possible, get everyone on a domain (or multiple domains with mutual trust), or consider having the proxy in the same workgroup as the server.

    Thursday, April 06, 2006 4:31 PM
    Moderator
  • Just to have some closure here. I finally managed to get the proxy installed and potentially working as well. Here is what happened to get to this glorious moment:

    1.) Scrapped all RC installs and used the 180 day trial of the final release from the MSDN downloads.
    2.) Installed that as the TFS main server and for the proxy.
    3.) Installed the Team Explorer on the VS 2005 client.
    4.) Configured client and proxy based on the descriptions in the chm files and from the great posts in this thread.

    Without much else I was able to connect to the main TFS. It appears though that the proxy is circumvented. This is solely due to the fact that the main TFS is not in a domain, but only a workgroup PC. That requires two things:
    a) The user name and password used for the account under which the proxy is run (the one used to logon to the W2k3 server) has to be known to the TFS main server.
    b) The account(s) used within VS 2005 have to be known to the main TFS (that's expected) AND to the proxy (at least as local user).

    When using a full domain setup this is a given.
    It seems that the RC install was no good for our purposes. We also found out that mixing RCs / betas / final installs is the straight way to desaster. Now that the final release is available nobody should use anything else.
    Now I need to find out some more things abou the proxy itself, but I will start a new thread for this.
    Thank you to everyone who helped me.
    Thursday, April 13, 2006 1:10 PM
  • Thanks for the update; we'll keep our eyes open for those follow-up questions.
    Friday, August 18, 2006 3:08 PM
    Moderator
  • This is from the installation guide

     

    TFSPROXY

    • Used by Team Foundation Server Proxy on a computer that is not a member of the same domain as the Team Foundation Server application-tier and data-tier components.

    • This service account must be a member of the Administrators group on the remote computer.

    • This service account must be a member of the Team Foundation Valid Users group for the Team Foundation Server that uses the proxy.

     

    It says that proxy should be installed on a machine that is on a different domain than the AT and DT. This is a contradiction to your earlier post. Are you sure that the documentation is right?? Or is there something that I am missing?

     

     

    Thanks

    Deepak

    Wednesday, November 01, 2006 5:49 AM
  • Just noticed this message (sorry!).

    The proxy can be in a different domain than the AT/DT, but there has to be a trust relationship between the two domains (specifically, the domain in which the AT's service account lives has to trust the domain of the proxy service account, or the proxy won't be able to authenticate to the AT).

    Monday, December 18, 2006 5:32 PM
    Moderator
  • Hi Chris,

    could you have a look at my proxy-question ?

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1216865&SiteID=1

    Thanks.

    Monday, February 19, 2007 12:33 PM
  • Hi,

    I have followed the instructions and this online guide to as best as I could. I am still unable to connect to the team foundation server.

    My setup is outlined below.

    Client runing VS 2008 w/TE 2008 -----> Proxy Server Runing VS 2008 Proxy Server ---> VPN Connection ----->Team Foundation Server is also 2008

    For my service/install account i have used TFSSETUP

    TFSSETUP is a valid user of TFS and is an Administrator on the proxy machine.

    On the proxy server in the proxy.config file i have added
    Servers>
            <Server>
                <Uri>http://TFS-SERVER/VersionControl</Uri>
            </Server>
        </Servers>


    I am able to  see my statistics on the client machine when I hit
    http://YOUR SERVER  NAME:8081/VersionControlProxy/V1.0/proxystatistics.asmx.

    But when I atempt to connect in team Explorer to my server I get an error that the server cannot be reached.

    I have also configuired the In Visual Studio select tools -> options -> Source Control -> Visual Studio Team Foundation Server
    And select use proxy server
    Enter your Proxy server name
    For Port enter 8081
    Select OK

    What am I doing wrong?

    Tuesday, March 25, 2008 4:37 PM
  • I'm curious as to how this works as well.

     

    Remote offices are unlikely in my situation, but telecommuting and contractors working here and there are my main issue, so setting up a "tfs proxy" at each individual location requiring remote access is, well, not going to happen.

     

    So, I need a TFS Proxy, that will sit outside of my corporate firewall and serve to those outside the internal network, however TFS Proxy is not really designed for this -- although I certainly think it should, isn't there more market in this scenario then remote offices?

     

    I won't completely say that this setup won't work as I've seen diagrams out on the net that say this is possible and a feasible solution..

     

    My unresolved questions are:

     

    1. Does TFS Proxy provide improved WAN performance?

     

    2. If my TFS Server is internal, and TFS Proxy is external, how do my clients not on the internal net enter the TFS Server? It would not be resolvable and they wouldn't be able to connect to it, TFS Proxy should handle this, but it doesn't appear to (Post above, and I've tried this myself)

     

    3. Would it be better to expose the actual TFS Server using SSL to the outside world?

     

    4. How does codeplex run things? Is there any documentation on how it's setup?

     

    Thanks.

     

    ST

    Monday, April 28, 2008 1:19 PM
  • I have given server name in "Add Team Foundation Server" dialog and proxy details in Tools -> Options -> Source Control. But it is working fine even if i give a wrong name for proxy and so I think it is not using proxy details. So could you please tell me how to force the Visual studio IDE to connect to the proxy not the server?

    Wednesday, May 07, 2008 10:34 AM
  • Good piece of information

    Wednesday, July 09, 2008 5:19 AM