tag:blogger.com,1999:blog-26836546194142181532024-03-14T08:20:59.142+01:00Lean PhoenixJeffrey Opdamhttp://www.blogger.com/profile/02421810381301791108noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-2683654619414218153.post-67960410736712263162017-01-13T22:27:00.000+01:002017-01-17T10:30:47.396+01:00VSTS - Private Build Server<h2>Private Build Server</h2>
<br />
<h3>Introduction</h3>
<p>
This week I am helping a team that is hosting their code in Visual Studio Team Services (VSTS in short) and they want a continuous delivery pipeline, that builds and deploys their software on their internal servers which reside ‘on premise’. These internal servers do not have access to the internet by design and process of allowing a server to connect to the internet requires traversing an exceptionally heavy approval process taking weeks to months.
</p>
<h3>Concept</h3>
<div class="separator" style="clear: both; text-align: center;"></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9rn9lE8gSsKIHtCtoqgCLUKdK4d9g0YMoqkjeVw2UJ4OHQt40VK8jLf83PoADSuAWuLEFpzIZAHh6zUDa9Q2-bGNWUtc9uojVXPB5Ckho-UJCa5ZdkIVTMkFtCht3ZeAmWafkS2yCTEz9/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9rn9lE8gSsKIHtCtoqgCLUKdK4d9g0YMoqkjeVw2UJ4OHQt40VK8jLf83PoADSuAWuLEFpzIZAHh6zUDa9Q2-bGNWUtc9uojVXPB5Ckho-UJCa5ZdkIVTMkFtCht3ZeAmWafkS2yCTEz9/s1600/1.png" /></a>
</div>
<div class="separator" style="clear: both; text-align: center;"></div>
<p>
Our intention is to setup a Build Agent within the internal network that connects to their VSTS site(<b>https://<<youraccount>>.visualstudio.com</b>). The connection has to go through a proxy that will only allow traffic to websites that has been whitelisted. Using the on premise Build Agent in this setup, we will be able to trigger a build and/or release from VSTS that will run on the Build Agent. Because of policy reasons we are not allowed to run the build agent on a target server, so we use the Build Agent to perform the necessary steps to deploy to a Target Server for a release.
</p>
<h3>Setup</h3>
<p>
First we need to create a Personal Access Token (PAT), which we will use to initially setup the Build Agent with VSTS.
</p>
<p>Steps to take:
<br />
1. Go to VSTS (<b>https://<youraccount>.visualstudio.com</b>) and log in.
2. Open up your profile and select ‘Security’
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSssg2Wft3qUWi8MiMBSt54ZQbew7H8oxiT6Qt0xuPyXYAUPEUcALBv1XdIsbP-cYw4daIeTyJLxsLDINU8zEfKhJhNJzhb-RQ3U-SuNbjuG-fXJ4RoIlnlUhulCvurovwxzAu_47_1Kot/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSssg2Wft3qUWi8MiMBSt54ZQbew7H8oxiT6Qt0xuPyXYAUPEUcALBv1XdIsbP-cYw4daIeTyJLxsLDINU8zEfKhJhNJzhb-RQ3U-SuNbjuG-fXJ4RoIlnlUhulCvurovwxzAu_47_1Kot/s1600/2.png" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSssg2Wft3qUWi8MiMBSt54ZQbew7H8oxiT6Qt0xuPyXYAUPEUcALBv1XdIsbP-cYw4daIeTyJLxsLDINU8zEfKhJhNJzhb-RQ3U-SuNbjuG-fXJ4RoIlnlUhulCvurovwxzAu_47_1Kot/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;"></div>
3. Fill in the Description, select the correct account and select ‘Agent Pools (read, manage) as scope.
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPjCJCezyONvnXnz8UPyN0DwJbxt1grHy-SNW-W5Xdt7JC3Bvcmo5xhHX8JP6Vk_KMPmqNImFy8LH9M3AA_1BF1YVaG0bf6DZhPHFc4ztMF4IIdyvEBG1hmIeuNeO4cNvCKa71LZZEtzya/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPjCJCezyONvnXnz8UPyN0DwJbxt1grHy-SNW-W5Xdt7JC3Bvcmo5xhHX8JP6Vk_KMPmqNImFy8LH9M3AA_1BF1YVaG0bf6DZhPHFc4ztMF4IIdyvEBG1hmIeuNeO4cNvCKa71LZZEtzya/s1600/3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;"></div>
4. After it generate the token, make a copy of it and store it in a safe place, as you cannot get the token again.
</p>
<p>
Secondly we need to download and unzip the agent, by going to the Agent queues of your team project.
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5LeppoHhTYcN5hfzYlCLSmEWDYUA5fLKfFiSNdf4mx4xlgM3UBrBkQ_Xec4S1Zfs3cR1B_p_G-RJ18DidxPVd0PD1x5fc9m99DrWcZvbTdeo57QOWp80vGaJD17wOwIyt8Mm6LxG2VKZn/s1600/4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5LeppoHhTYcN5hfzYlCLSmEWDYUA5fLKfFiSNdf4mx4xlgM3UBrBkQ_Xec4S1Zfs3cR1B_p_G-RJ18DidxPVd0PD1x5fc9m99DrWcZvbTdeo57QOWp80vGaJD17wOwIyt8Mm6LxG2VKZn/s1600/4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;"></div>
</p>
<p>
Before you start configuring the agent, you have to configure the proxy of the agent. The agent will read a .proxy file where you have unzipped the agent. You can create the proxy file by running the following command in PowerShell:
</p>
<p>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 450.8pt;" valign="top" width="601"><div style="background: #012456; border: solid #CCCCCC 1.0pt; mso-border-alt: solid #CCCCCC .75pt; mso-element: para-border-div; padding: 7.0pt 7.0pt 7.0pt 7.0pt;">
<div class="MsoNormal" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: none; line-height: normal; margin-bottom: 0.0001pt; padding: 0in; word-break: break-all;">
<span lang="EN" style="border: none 1.0pt; color: yellow; font-family: "consolas"; font-size: 9.0pt; padding: 0in;">echo</span><span lang="EN" style="border: none 1.0pt; color: #c7254e; font-family: "consolas"; font-size: 9.0pt; padding: 0in;"> </span><span lang="EN" style="border: none 1.0pt; color: white; font-family: "consolas"; font-size: 9.0pt; padding: 0in;">http://<<your-proxy-server>>:8888
| </span><span lang="EN" style="border: none 1.0pt; color: yellow; font-family: "consolas"; font-size: 9.0pt; padding: 0in;">Out-File </span><span lang="EN" style="border: none 1.0pt; color: white; font-family: "consolas"; font-size: 9.0pt; padding: 0in;">.proxy</span><span lang="EN" style="border: none 1.0pt; color: #c7254e; font-family: "consolas"; font-size: 9.0pt; padding: 0in;"><o:p></o:p></span></div>
</div>
</td>
</tr>
</tbody></table>
</p>
<p>
Now we are ready to run the config.cmd.
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbsZn_qQXg3n4Y4rmZ2zlKVDL3EPZEIjhtrFy463UIZPTHMSY2pvZ9kvbqEb4yJNflZ4bxIJJT4i4y46lwq2QJoDxBeKvZ6pC4UE5p9jBQIEuNgbf7aKoAaT2u7aDLozWnHJ4C-u5u5p_/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbsZn_qQXg3n4Y4rmZ2zlKVDL3EPZEIjhtrFy463UIZPTHMSY2pvZ9kvbqEb4yJNflZ4bxIJJT4i4y46lwq2QJoDxBeKvZ6pC4UE5p9jBQIEuNgbf7aKoAaT2u7aDLozWnHJ4C-u5u5p_/s1600/5.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;"></div>
1. Enter the url to your account on VSTS.<br />
2. Choose PAT. <br />
3. Enter the PAT you retrieved. <br />
4. Enter the agent pool. <br />
5. Enter the agent name. <br />
</p>
<p>
As you can see, we got an error. Unfortunately the problem was not clear to me, as I went through the guide (<a href="https://www.visualstudio.com/en-us/docs/build/admin/agents/v2-windows">https://www.visualstudio.com/en-us/docs/build/admin/agents/v2-windows</a>) step by step. The firewall team has added <b>https://<<youraccount>>.visualstudio.com</b> to the whitelist for the Build Agent. After turning on fiddler the problem became clear.
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirIwiCNNZbqBJoH32YtplCMtB1xNp5rXW1scxFsgUP4PQ0TQTEFFEBktnoBZM0R8qsup6c-kRa23aYy_mQmPlELWx2rq6dx6M0mio12_JwrywVOxqmWgDbnc7ZKRj9dI1xuadW48tS7Qgz/s1600/6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirIwiCNNZbqBJoH32YtplCMtB1xNp5rXW1scxFsgUP4PQ0TQTEFFEBktnoBZM0R8qsup6c-kRa23aYy_mQmPlELWx2rq6dx6M0mio12_JwrywVOxqmWgDbnc7ZKRj9dI1xuadW48tS7Qgz/s1600/6.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;"></div>
The agent is connecting to a second url <b>https://<<youraccount>>.vssps.visualstudio.com</b>.
</p>
<p>After adding the second url to the proxy whitelist, we could connect the agent to VSTS.
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNBjvjtd5T9lUpAm_mZMkbfWhVUtAweDkiCu-5ndGtqxo_WmFRuynNMFy0-uXWoWxUnhYx-NZDjMsnc9I8PuYQzFi6ipTrVnrKHFFc3S7ORuhudYnB-Tfr9ynLUH-yu9PfUePwCR9lZok0/s1600/7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNBjvjtd5T9lUpAm_mZMkbfWhVUtAweDkiCu-5ndGtqxo_WmFRuynNMFy0-uXWoWxUnhYx-NZDjMsnc9I8PuYQzFi6ipTrVnrKHFFc3S7ORuhudYnB-Tfr9ynLUH-yu9PfUePwCR9lZok0/s1600/7.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;"></div>
</p>
<h3>Package Management</h3>
<p>
If you want to use the package management extension, you have to add another url to the proxy: <b>https://<<youraccount>>.pkgs.visualstudio.com</b>
</p>
<h3>Conclusion</h3>
<p>
When making use of a proxy when you are connecting your ‘on premise’ Build Agent to VSTS, you have to whitelist not only <b>https://<<youraccount>>.visualstudio.com</b>, but also <b>https://<<youraccount.vssps.visualstudio.com</b> and <b>https://<<youraccount>>.pkgs.visualstudio.com</b>. I hope this post will help others with connecting their Build Servers to VSTS in an enterprise environment.
</p>Jeffrey Opdamhttp://www.blogger.com/profile/02421810381301791108noreply@blogger.com2