locked
DirectAccess with Team Foundation Server RRS feed

  • Question

  • Can I install Team Foundation Server 2012 on a Windows Server 2012 machine with the DirectAccess role? I have tried this and cannot get to the TFS server on its default port of 8080. I can get to the TFS site by going to http://localhost:8080/tfs, but I cannot get to it by going to http://<ip address>:8080/tfs, even on the same machine. Is DirectAccess routing something or is there something else that is using port 8080. I also tried to changing the port to 8880, which yielded the same result. I have checked windows firewall and there is an incoming rule to allow 8080 traffic for TFS.
    Monday, April 1, 2013 6:18 PM

Answers

  • I added another ipv4 address to the NIC and edited the IIS bindings for TFS to listen on the IP address. I can now access the TFS site using the second IP address. The conclusion I have come to is that DirectAccess is listening to all http traffic and blocking it except for port 62000 for the NLS website. If anyone can confirm that or have any other information, I would greatly appreciate it.
    Wednesday, April 3, 2013 1:15 PM

All replies

  • Hi,

    Accessing internal ressources with DirectAccess is possible if you use FQDN instead IPv4 addresses.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, April 1, 2013 9:52 PM
  • I tried accessing by FQDN (http://<fqdn>:8080/tfs) and it does not work as well. The strange thing is that I can get to TFS off campus by going through the DirectAccess server. Is DirectAccess blocking communication internally?
    Tuesday, April 2, 2013 10:59 AM
  • Hi

    When connected to your corporate network, DirectAccess is disabled. Technically speaking, NRPT is disabled. the "NETSH.EXE NAMESPACE SHOW EF" command should return "Note : DirectAccess Settings would be turned off when computer is Inside comporate network".

    If you have the content of the NRPT, this means your client cant reach the Network location server. In this situation the DirectAccess client try to initialize IPSEC tunnels from your LAN network. Can you reach the NLS web site from your DirectAccess client?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 2, 2013 11:03 AM
  • I am able to reach the NLS web site inside the corporate network. DirectAccess shows that I am connected to the corporate network as well. I have also tested a computer that does not have the DirectAccess client and that machine cannot get to the TFS site either. It's like the DirectAccess server is blocking web traffic. VNC on the server works fine, but I am only able to get to the TFS site by going to the server and entering http://localhost:8080/tfs.
    Tuesday, April 2, 2013 12:41 PM
  • Hi

    If it works with a DirectAccess computer connected on LAN and a standard computer connected on the same LAN, DirectAccess is not the cause of your problem. I would suggest that some filtering features Inside IIS on your server block you. (Eg : IP restriction on localhost). Do you have a specific HTTP response error code?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 3, 2013 7:36 AM
  • It is just the opposite of that. Neither my DirectAccess or any other computer connected to the LAN can get to the TFS site. If I am at home where the DirectAccess client is turned on, I am able to access the TFS site. So it works off campus (not on the company LAN), but doesn't work for anyone on campus whether they are a DirectAccess user or not. Here are the scenerios and outcomes that I have tested so far.

    • On the DirectAccess/TFS Server (same machine) - http://localhost:8080/tfs - Works
    • On the DirectAccess/TFS Server (same machine) - http://<ipv4 address>:8080/tfs - Does not work
    • On the DirectAccess/TFS Server (same machine) - http://<ipv6 address>:8080/tfs - Works
    • On the DirectAccess/TFS Server (same machine) - http://<fqdn>:8080/tfs - Works
    • On a DirectAccess client on company LAN - http://<ipv4 address>:8080/tfs - Does not work
    • On a DirectAccess client on company LAN - http://<ipv6 address>:8080/tfs - Does not work
    • On a DirectAccess client on company LAN - http://<fqdn>:8080/tfs - Does not work
    • On a DirectAccess client at home off company LAN - http://<fqdn>:8080/tfs - Works
    • On a non-DirectAccess client on company LAN - http://<ipv4 address>:8080/tfs - Does not work
    • On a non-DirectAccess client on company LAN - http://<ipv6 address>:8080/tfs - Does not work
    • On a non-DirectAccess client on company LAN - http://<fqdn>:8080/tfs - Does not work

    I am not a network expert so I could be wrong, but it seems that the DirectAccess/TFS server is not responding to it's ipv4 address even though I have a binding for the ipv4 address for the TFS site in IIS. This can be seen by the tests above when I run them directly on the DirectAccess/TFS server. It does not respond to it's ipv4 address. When I run nslookup for the fqdn of the DirectAccess/TFS server on my DirectAccess client computer when connected to the company LAN, I get back it's ipv4 address, so if my server isn't responding to it's ipv4 address, I would not be able to get to the TFS site. I have tried to get to the TFS site by using it's ipv6 address and that doesn't work. If I run ipconfig on my DirectAccess client computer, I do not see that I have an ipv6 address assigned. I only see a link-local ipv6 address and my ipv4 address. Could this be what is causing the issue?

    • Edited by Andrew Wilinski Wednesday, April 3, 2013 11:47 AM added more info
    Wednesday, April 3, 2013 11:05 AM
  • I added another ipv4 address to the NIC and edited the IIS bindings for TFS to listen on the IP address. I can now access the TFS site using the second IP address. The conclusion I have come to is that DirectAccess is listening to all http traffic and blocking it except for port 62000 for the NLS website. If anyone can confirm that or have any other information, I would greatly appreciate it.
    Wednesday, April 3, 2013 1:15 PM
  • Hi

    I did not notice you pu the NLS on the URA server with your Team foundation server. In this special case yes : http://technet.microsoft.com/en-us/library/jj574101.aspx

    "If you are deploying Remote Access with a single network adapter, and installing the network location server on the Remote Access server, TCP port 62000 should also be exempted."

    To avoid such situation you can move NLS web site on another IIS web site.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 10, 2013 8:34 PM