Deployment to Demilitarized Zone using TFS 2015 and TFS 2017

In many of the enterprises internet facing application will be in separate Zone called DMZ or Demilitarized zone.

Demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization’s external-facing services to an untrusted network, usually a larger network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN);
an external network node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled. that is communication between DMZ and Internal network will be restricted with firewalls.


  1. WINRM should be configured on the target Machines and RM server.
    winrm quickconfig
  2. Enable Power Shell Remoting on target machines.
    Enable-PSRemoting -force
  3. Set-execution Policy unrestricted on target machines.
    Set-ExecutionPolicy unresrticted

Configuration Required for DMZ deployment.

  1. Ports which are required for Deployment tasks should be opened. As per my experiment, if you are using Windows file copy task and run power shell on target machines, you need to open the below ports from Build Agent Servers to your target DMZ servers.
    TCP port 5985,445,139 and the UDP port 137.
  2. Your target DMZ servers should be added as the trusted hosts in the WINRM configuration of the  build agent Servers. Sample code given below.
    winrm get winrm/config/client
    winrm get winrm/config/service
    winrm s winrm/config/client @{TrustedHosts=”,,,″}
    winrm get winrm/config/client
    winrm get winrm/config/service
  3. If you are copying your artifcats directly from drop location using windows machine file copy task, you will have to open port 445 from your DMZ servers to the Drop Server.
  4. If further issues, Look for DNS IP mapping issues as well. Even after all the above configurations, your Deployment task cannot access the drop location, please try using IP address in Release definition for the UNC path. If using IP address works, it means the IP not mapped to correct DNS name in DMZ. Similarly you will have to use IP address for target servers as well in Release definition.

Another best option is to have few build/Release servers in DMZ. You just need to open http/https port for the communication between Team foundation Server and Build/Release servers.

Leave a Reply

Your email address will not be published. Required fields are marked *