I want to provide/restrict access to resources based on IP from my google cloud vm to prevent my dev team downloading/uploading the code to public drives.
Everything is working fine up to now.But I want to provide access to Visual studio online TFS with my outlook account.
I created visual studio online account for Version control.
URL: https://eschooltest.visualstudio.com
Region: Canada Central
I came to know vs online IPs are published every wednesday and downloaded from the below url and added these canada central Ips to Google Firewall system with allow access.
https://www.visualstudio.com/team-services/support/ip-addresses-used-hosted-build/
But still I am not able to access vs url.I pinged this url from command prompt and found the ip is 13.107.6.175 which is not present in the canada central IP list and also not present in the whole ip list of all regions.
Can someone help to achieve the requirement? OR please let me know if there is an elegant way of doing this.
if this is not possible with VS online, I am planning to set up TFS express in another VM to prevent leaking of my code to outside world though this is cumbersome.
EDIT:
1. Why this ip is not present in the Published xml?
VSTS does not offer any type of IP-based filter — so you can't do like in SQL Azure, in which you add and/or remove IPs that can access the service on Azure. About this area take a look at thie blog: Prevent users from accessing the VSTS out of the workplace
You should take a look at the official tutorial how to Manage conditional access to VSTS
Conditional access offers simple ways to help secure resources for
VSTS accounts backed by an Azure Active Directory (AAD) tenant.
Conditional access policies like multi-factor authentication can help
protect against the risk of compromised credentials and help keep your
organization's data safe. For example, in addition to requiring
credentials, you can have a policy that only devices connected to a
corporate network can gain access.
Related
I need to add a colleague to my development environment (specifically VisualStudioOnline - TFS) and the doc I've read about how to do this shows differently than what I see when I try.
I am the only user of Visual Studio 2012 in my small company. I am using Visual Studio Online for Source Control (as I understand it, this exposes Microsoft Visual Studio Team Foundation Service - Version 15.115.26417.0 as a "service" (i.e. this is the cloud...there is no on-premise TFS installed). Currently, I am using a LOCAL workspace (the default) and TFVC (not GIT).
I added my NewUserA to the Administrators group on the dev server. When click menu item Team to Connect to TFS, I am prompted to sign-in with my "Microsoft" account.
However, when I try to add NewUserA to my TFS, the dialog below seems unable to search for the existence of NewUserA:
It seems to want an "identity" of NewUserA (which suggests an email address too) so it sort of makes sense that this prompt does not look for locally added Windows users.
I am quite confused and would appreciate being helped thru this.
If your VSTS account isn't connected to Azure Active Directory and you're not synchronizing your on-premises AD to AAD, then of course it won't be able to find users from your on-prem domain. If that's the case, you can add users by email address and they'll be prompted to sign up for a Microsoft account (if they don't already have one) using that address. This is different than an organizational account, which is what you'd use if you were connected to Azure AD.
We're completely upgrading our production and development environment from co-located boxes to an Azure implementation and we'll be developing using Visual Studio Online. Up until this point our dev has occurred on a Remote Desktop environment where developers were logging into Windows server and developing on that RDP box.
We want to set this up and we have some confusion about the Account types/set up types.
It appears there are two ways to set up our Azure and two ways to set up our developers. We are a MS partner w/ some MSDN licenses and Azure credits.
So for Azure we can use our existing MS accounts and just set up an Azure Pay As You Go (PAYG) subscription. This was suggested to us initially but it seems weird to have the entire companies Azure environment going through an individuals live ID. Then we saw we can sign up as an Organization now and it uses Azure AD. We have not been using Active Directory and we're not sure how much complexity this is going to add to our administration. Is there a discernible difference/benefit to going one way or the other?
Then, when we sign up our developers we can either have everyone sign up with their live ID's (we have MSDN w/ VS Premium credits for all developers) or we can set them up using Active Directory with Work Accounts. Having our credits allotted in work accounts sounds like a good way to control things at first reading, but it also seems a bit more complex. I'm wondering if there is much difference between MSDN accounts signed up w/ live IDs or AD Work Accounts. I can't find a real comparison article or pro/con type of discussion anywhere.
It sounds like you have already figured out the main differences. As an organization, I would suggest signing up for Azure as an organization. You can do that here. This is going to give you the management capabilities for resources typically needed by an organization.
Your developers can continue to use the MSDN subscriptions. As Dylan commented, these are not to be used for production environments. You should consider using these for Dev/Test environments and activating your MSDN benefits. This will save you some money. More on that here.
Visual Studio Online will work with your Work Accounts and again give you more control over managing your online resources. This link describes the sign-up process for both Microsoft Accounts and Work Accounts. And if you scroll down a bit you will find your original question specifically addressed.
Finally, you can also add your Work Account(s) to your existing MSDN subscriptions if you like. This way you (and your developers) can use the same account credentials when accessing Azure Subscriptions. Information on how to do that is available in this link.
Your Work Account subscription should be limited to personnel responsible for managing your "production" environment.
After signing up for Azure as an Organization, you can add users to the directory as described here. You can also add "external" users using their existing Microsoft Accounts. It's just a few dialogs to add a user.
We're using Azure to maintain our development and QA servers.
One of the needs we have now, is to provide our QA members access to update web.config file on the server, which can be achieved via Visual Studio Server's Explorer (with the right configuration).
The problem is that you need a user with a subscription as a co-administrator within Azure (at least as far as I managed to understand), but obviously we'd like to allow our QA members only to maintain the files, with limited access via Visual Studio.
Is there any way to do it?
Following Brendan advice, I've granted the QA members FTP access. This should do the job for now, until Microsoft will come up with something better :)
Thanks Brendan!
In our company we use TFS for issues tracking. For now we are thinking to create a new project and made it accessible outside from company network for one customer (we will create a separate user for that).
The biggest concern here is that we will create external access and it became potentially hackable.
Could you please share own experience for this case?
Do you know any useful information to read about TFS security that is related to access from outside network.
Thanks a lot. Any thoughts are welcome!
While you can technically put SSL on the TFS Web Services, the general best practice is to:
1) Require use of Team Explorer over a VPN connection
or
2) Implement Team System Web Access
Other thoughts would be to setup a tfs instance with a hosted tfs provider and then do some automation to provide work item replication. Do you intend the customer to be read only or will they update and submit?
We're trying to setup an internet facing WSS 3.0 site without Active Directory. We have a single WFE and a single SQL Server (2005). The WFE will be outside our DMZ.
We've successfully created the Central Admin site with a local admin account on the WFE and a separate account on the SQL server for the database, but we're stuck on setting up the WSS search capability.
I couldn't seem to get things to work when using Central Admin to start the WSS Search service. I'm thinking I'll need to use stsadm -spsearch to set up the WSS search manually, rather than using the menus in Central Admin.
Does anyone have any tips and/or resources they recommend?
You want to setup your WSS3 site using Forms Based AUthentication, with an ASP.Net SQL Membership Provider and backend database.
Microsoft have a very nice guide on MSDN.
I followed this guide when attempting something similar. This explains how to allow forms based and AD authentication on the same site but you could just follow the parts that explain how to setup forms based.
This also includes changing the web.config file for central administration so that it can access the SQL database used to store users for forms based authentication.
It is very easy to follow.
We're looking for the same... rather we have a separate AD for our DMZ, however, for the extranet, would like to use it without AD accounts. May I ask what you've come up with so far?
Have seen posts talking about local machine accounts, but we do have 2 app servers and realize the maintenance involved to keep them in sync if we use local machine acounts. Swore I saw a 3rd party tool that would allow user's to be added into their own db and managed through their web-part/portal but can't seem to find it now.