There are several different scenarios where you may want to place a TFS (Azure DevOps) server – or some of its components – in a demilitarised network zone.

Getting to know the concept of the DMZ…

For those of you who do not know, a DMZ is an area of our company network that is less heavily locked down. Often this will be where public-facing services are hosted.

The DMZ will usually have a firewall barrier to the rest of the network and network appliances either side to control traffic going in and out in either direction. (see drawing below)

It is common for companies to choose to use a different Active Directory domain or no AD domain at all in these environments to not only physically but logically separate the network zones from each other.

Team Foundation Server / Azure DevOps Server DMZ scenarios

There are broadly two major DMZ scenarios for Azure DevOps Server (formerly Team Foundation Server) and I will go through each of them in more detail.

Please note that it is recommended to always use HTTPS (SSL) for all communication with TFS. (especially as soon as Internet traffic comes into play)

Deploying to the DMZ

You may be in a situation where you need to deploy to a server located in the DMZ. In this case it’s usually easiest to use the agent deployment model.

You may be tempted to use deployment groups instead, but this could create a potential security concern as the deployment agent sits on the same machine as the deployment itself. This means that you would have to allow your target machine to talk to TFS in the more secure network area directly.

The agent model gets around this by running the agent runtime on a physically different machine, allowing you to only allow connections to TFS from that agent machine. Deployments can be unidirectional, so there is no need for the target server to be able to initiate a deployment from the agent server.  

Multi-domain setup

You may have a domain split into “DEV” and “PROD” for example. (as shown in the graph)

In order to run deployments to all environments it can often be easiest to place the TFS sever in the DMZ and allow users to connect with dedicated accounts.

You can use PAT tokens to authenticate agents in all your domains to the TFS server. The advantage of this is that you can have pipelines deploy into the various environments, avoiding a need to split your deployments across several servers, which is bad for agility.

The added benefit here is that we could (if we wanted to) allow access to TFS from the internet.