Setting up BuildAgent for secure communications through firewall.

After searching through the archives I haven't found a subject dealing with this particular issue so let me explain what we are trying to accomplish and how we're using Team City.

First, we are a .NET shop and using TeamCity very successfully to do CI, QA, PreProd and Production builds. We've written scripts in NAnt which build, checking to a build repository in SVN and publish from previous builds by pulling this from SVN and publishing it.

Currently we are using FTP to do our file transfers through a firewall but have had recent snaffus with the FTP server while never having one ounce of issue with the BuildAgents. Our goal is to now use the BuildAgents to publish and not just build. Here is what we are now trying to accomplish.

Our operations team requires us to have all communications going through the firewall to be secured communications via HTTPS, SFTP or some other form of secured communications from the LAN into a DMZ. We've been using SFTP successfully but the FTP Server we are using has had issues recently and we are looking to replace this with a BuildAgent which can pull the Build Source from an SVN Releases Repository. This would also give us the ability to execute an NAnt script to reset the IIS environment as needed.

1. How do I setup the BuildAgent to securely communicate with the TeamCity Server? I have port 9090 setup to go through the firewall which is what our current build agent is using to communicate with the TC Server anyway. What I don't understand is the communications process between the BuildAgent and the TC Server and what needs to happen for me to get these two communicating securely through the firewall.

2. How do I test that the BuildAgent is communicating with the server over port 9090 through the firewall securely?

Mike Langley
Sr. Systems Analyst/Architect

1 comment
Comment actions Permalink

Some information about HTTPS configuring is available here:

In brief if you are using valid certificate signed by well known authority then all you need is to configure HTTPS on a TeamCity server side. I would recommend to use Apache or IIS in connection with Tomcat for this setup. Otherwise you will be required to import certificates to agents JVMs.

However TeamCity also needs to send commands to agents. These commands are sent by HTTP but since agent does not have full-fledged HTTP server there is no way to encrypt them. Server sends commands to start build along with necessary data. Data can include VCS roots details (with passwords encrypted if you are using TeamCity 4.0). Other commands which are sent to an agent are: ping, stop build, upgrade. They do not contain any sensitive information.

Also there is some difference how VCS source checkout is performed. If you are using server side checkout then TeamCity server retrieves source code on request from the agent. Since agent initiates this communication the patch can be sent by HTTPS. But if you are using agent side checkout then agent itself retrieves sources. In this case to use secure communications you should properly configure VCS roots.

Hope this helps.


Please sign in to leave a comment.