TFS 2010 access from internet

mr Hills
mr Hills used Ask the Experts™

We have Team Foundation Server 2010 environment is in place. Which is working fine. We want to open the TFS Web access to internet.

We want to follow the link-

We are testing it on our test environment. The additional apptier is in the DMZ zone. But the data tier is well with in our domain. What are the port we need to open to achieve this.

Situation is very urgent, my job is in the line.

Could anybody please help.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ryan McCauleySenior Data Architect

So you're looking to provide access to TFS open the open internet, not a VPN (as described in that link)? If so, the only port you'd need to open is 443 (assuming you're using SSL, which I can't recommend strongly enough without inappropriate language). If you're adding an additional app-tier, you should only need the web ports open for it to communicate back to the web services.

You can check out how Codeplex is doing their TFS hosting, since they make projects available to clients over the internet. Here's their general layout - pretty small, you'll see:

If you just want to enable SSL on your TFS server and configure direct port 443 access to the web tier, here's a Microsoft walk-through for that:

If those don't meet your needs or I've missed something in your requirements, please elaborate.
mr HillsSolution Architect


Hi ryanmccauley, Thanks for your response and pointers. I will tell you what we have so far step by step.

1. We were provided with a server in DMZ, where port 80/443 was opened from internet to DMZ. This server has public IP assigned to it by Network team.
2.This DMZ server had port 8080/1433/9191 opened from DMZ to Apptier in intranet.
3. We tried installing/configuring additional apptier on the server, configuration failed. We think that it happened because 1433 is not open from intranet datatier to DMZ.
4. After encountering this failure, we added DMZ server in our domain where our original TFS setup is also there.
5. We logged in to DMZ server with our Domain Admin credentials.
6. Configuration happened successfully. We were able to access the TFS WEB inside the DMZ server.
7.In DMZ server we did port forwarding for port 80 to 8080 using NETSH INTERFACE PORTPROXY .
8. Now with using public IP of DMZ appended with /tfs/web, we are able to access the TFS WEB from internet. It asks for domain credentials for authentication. We can see Work Items and Source Control only.

Please let us know how far we have reached and what else do you recommend. I understand that ssl is important. Any thing else you want add please let us know.

Once again thanks for your help.

Kind Regards.
Mohamed OsamaSenior IT Consultant

Below Ports are all the TCP ports we needed to configure at some stage for Visual studio to work for Internet access, note that some of them may not be needed depending on your own setup .

    Port 80 TCP – Web Server (Reporting Services/SharePoint Services)
    Port 443 TCP – Web SSL (Reporting Services/Share Point Services)
    Port 1433 TCP – SQL Server Service
    Port 1434 TCP – SQL Browser Service
    Port 1444 TCP – SQL Server Monitoring
    Port 2382 TCP – SQL Analysis Service Redirector
    Port 2383 TCP – SQL Server Analysis Service
    Port 17102 TCP – SharePoint Central Administration
    Port 8080 TCP – Team Foundation Server
    Port 8143 TCP – Team Foundation Server (SSL)
    Port 8081 TCP – Team Foundation Server Proxy
    Port 8144 TCP – Team Foundation Server Proxy (SSL)
    Port 9191 TCP – Team Foundation Build Remoting
mr HillsSolution Architect


Hello Admin3K,

Thanks for all the help so far...
We want to keep our "Additional Apptier Configuration only" to a server which is in DMZ(member of  Workgroup).
We have the appropiate  ports and firewall settings in place

When we try to provide the SQL server\instance of our TFS datatier(server in a Domain) and select available databases it follows to an error as attached.

In a nutshell:- When we try the "TFS Apptier Only" configuration by the server in same domain all works well,however if we try the same from a server in DMZ the error as said.

Is it possible to have have an Additional Apptier only configuration on a server in DMZ and get it connected to the TFS setup in a domain with minimum (only web access service) exposure?
Please let us know your inputs
Thanks again!!!
Senior IT Consultant
So Basically you need to create some sort of a Trust relationship between your application tier and your Data tier which reside in different domains.
Please refer to the below link

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial