Search code examples
tfswindows-firewallwinhttpbuild-agent

TFS 2017 server required firewall settings for Build agent

I have TFS 2017 on Windows Server 2016 Standard.

I am now setting up Build agent on Windows 10 pro using PAT token authentication. (having "Agent Pools (read, manage)", "Agent Pools (read)", "Build (read"), "Code (read)", "Build (read and execute)", though this part seeems to be fine.

I am getting close to the very end of the configuration

Testing agent connection.
An error occured while sending the request.

Log file says

[2017-06-27 14:58:18Z ERR Agent] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: Der Servername oder die Serveradresse konnte nicht verarbeitet werden at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Net.Http.WinHttpHandler.d__101.MoveNext() --- End of inner exception stack trace --- at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.d__3.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Net.Http.HttpClient.d__58.MoveNext()

More by chance (since this is nowhere mentioned as required) I disabled the firewall on the server and now the connection and configuration of the build agent goes to the very end.

I definitely have 443 and 80 open, I am using TFS via https/443 and also entered that in the build agent config. In the TFS console, I see :80 and :443, nothing like :8080.

What else do I need to consider?

TFS server is in a domain, build agent is not, https certificate is self-signed and added to Root CAs on build agent.

Solution

  • After opening all TCP ports outgoing and incoming and doing some "netstat -a", I also tried UDP.

    After some testing and "binary search", I opened UDP 1434 and now the

    Testing agent connection

    results in asking for the _work folder.

    Update:

    After ~ 5 builds I got "An error occured while sending the request.. retry every 15 seconds..", looks like opening 5353 and 5355 UDP fixes this for now.