Configuration question regarding netsh

Oct 4, 2011 at 3:00 PM

I just want to further understand the configuration of the TfsDeployer service that I have running.  I have followed the directions and created the service and it is running. The installation instructions call for executing the following steps:

The account that the TFS Deployer service runs under must have permissions to:

  1. Subscribe to TFS Build Quality Status Change events. Either add the service account as a member of the ‘Team Project Collection Administrators’ group, or grant the permission directly via the command line, for example: tfssecurity.exe /a+ EventSubscription $SUBSCRIPTION: CREATE_SOAP_SUBSCRIPTION n:YourDomain\YourTfsDeployerAccount ALLOW /collection:http://YourTFS:8080/tfs/YourCollection
  2. Retrieve content from TFS Version Control. (Adding the service account to the team project's Readers group is easiest.)
  3. Read files on the Team Build drop file share.
  4. Deploy the build on the target machine. The PowerShell instance that TFS Deployer creates will inherit the identity of the TFS Deployer service. So this account will need all the permissions necessary to deploy the build (typically a member of the local machine's Administrators group).
  5. Listen on the configured HTTP endpoint. This can be configured via the built-in "netsh" command, for example: netsh http add urlacl url=http://+:8881/ user=YourDomain\YourTfsDeployerAccount

I'm confused by step 5. I have never run this command before and I ran it literally with my creditials.  It came back and said that the URL reservation was successful.  I assume that this reserves the port foir listening, but what ties the service to this port?  I changed the BaseAddress int eh service's config file to teh value below based upon a previous dioscussion I googled.  Is this correct?

<setting name="BaseAddress" serializeAs="String">

Dec 9, 2011 at 4:34 AM


Care of HTTP.SYS, a kernel level HTTP protocol stack introduced in Windows XP/Server 2003, applications running with non-administrator credentials must have permission to accept incoming HTTP requests. The netsh command you quote above is asking Windows to grant the specific user (ie TFS Deployer's service account) permission to listen for requests to the specified url (ie the url that TFS Deployer will listen on to receive notification that a build quality has been changed).

The url is completely arbitrary but sometime ago someone chose port 8881 and it has become a popular convention for TFS Deployer. The URL you choose simply must meet two requirements:

  • The DNS name or IP address must be resolvable from the TFS server
  • The port must not be blocked by local-machine or network firewalls between the TFS Server and the TFS Deployer machine

The chosen url is then specified in the TFS Deployer configuration file as the value for the BaseAddress setting and appropriate permissions are configured via netsh, typically replacing the host component of the url with a plus symbol*.

When TFS Deployer starts it begins listening at the BaseAddress url then it connects to the TFS server and basically says "Hi, I'd like to know about any changes to the build qualities, please let me know at this address ..." and passes the BaseAddress url to TFS.

So, if is the IP address of your TFS Deployer machine and port 8881 isn't blocked by any firewalls, and the TFS server can ping that IP then it is correct. Personally though, I prefer to use DNS name instead of IP addresses but it depends on your infrastructure.