How Team Foundation Server Proxy 2008 works
TFS 에 대해서 잘 아시는 분들조차도,,, TFS Proxy 서버가, 인트라넷에 설치된 TFS Application Tier를 인터넷에 노출시킬 수 있는 기능을 가진 것으로 오해하는 경우가 종종 있습니다.
하지만, 직접 설치해 보면 아시겠지만... TFS Application Tier 역시 인터넷에 반드시 연결되어 있어야 한다는 것을 알 수 있습니다. 위에 소개한 토픽을 읽어보시면 실제로 TFS App Tier 에 질의가 되는 과정을 확인할 수 있습니다.
[위의 내용이 간단해서, 아예 아래에 실어봅니다.]
Ever wondering how TFS Proxy works? While this MSDN article "Team Foundation Server Proxy and Source Control" ( http://msdn2.microsoft.com/en-us/library/ms252490.aspx
) provides a great overview, this blog post will add an end-to-end story for TFS users who likes to dig into technical details.
Let's see what happens among a user (CLIENT), TFServer (SERVER) and TFS Proxy (PROXY) when the user is trying to downloading a file from TFServer.
- CLIENT authenticates with SERVER.
- SERVER terminates connection if authentication failed. End of story.
- CLIENT sends a file download request to SERVER.
- SERVER checks CLIENT's read permission on the requested file.
- SERVER reports "file does not exist" if CLIENT has no read permission. End of story.
- SERVER sends a download ticket for the requested file to CLIENT.
- CLIENT sends the download ticket to PROXY and wait for PROXY to return the requested file
- PROXY checks whether the requested file is already cached.
- PROXY returns the requested file to CLIENT if it is already cached. End of story.
- PROXY service account authenticates with SERVER
- SERVER terminates connection if authentication failed. PROXY reports error to CLIENT. CLIENT will download directly from SERVER. End of story.
- PROXY asks SERVER for the location of VersionControl services.
- SERVER checks whether PROXY service account has read permission on server-level information.
- SERVER terminates connection if PROXY service account has no read permission on server information. PROXY reports error to CLIENT. CLIENT will download directly from SERVER. End of story.
- SERVER tells PROXY where VersionControl services are.
- PROXY uses CLIENT's download ticket to download the requested file from SERVER.
- PROXY caches the requested file.
- PROXY returns requested file to CLIENT. End of story.
- SERVER always checks repository read permission against CLIENT, not PROXY service account.
- SERVER always checks server-level information read permission against PROXY service account; and that is the only permission PROXY service account ever needs.
- PROXY can save SERVER resources by serving CLIENT's downloading request when the requested file is already cached.
In other words:
- PROXY and SERVER are binded at the server-level, not team project level.
- PROXY does not act as a surrogate for SERVER; PROXY only does caching and all permission checking is done by SERVER.
- PROXY service account can simply be placed in a server-level group, e.g. "[Server]\Proxy Service Accounts", without any extra security configuration. This effectively grants PROXY service account read permission on server-level information.
- Adding PROXY service account to either TFServer Admin group, TFServer service account group, or any team project group will also grant PROXY service account read permission on server-level infromation; however, this practice is not recommended because it gives PROXY service account more permissions than it needs.
[최종 수정일: 3/25/2008