Azure DevOps Server 2020 with Azure Application Proxy - Configuration Guide

Overview

This guide covers advanced configuration options and optimizations for Azure DevOps Server 2020 with Azure Application Proxy integration.

Advanced Application Proxy Configuration

Custom Headers

Configure custom headers for improved functionality:

X-Forwarded-For: Client IP address
X-Forwarded-Proto: https
X-Forwarded-Host: External domain name

Session Affinity

For Azure DevOps Server clusters:

Enable session affinity in Application Proxy settings
Configure load balancer persistence
Test failover scenarios

Timeout Settings

Adjust timeout values for large operations:

Backend timeout: 180 seconds (default: 85 seconds)
Idle timeout: 4 minutes for long-running operations

Azure DevOps Server Configuration

Web.config Modifications

Update web.config files for external access:

<configuration>
  <appSettings>
    <add key="PublicURL" value="https://devops-external.yourdomain.com/" />
    <add key="AllowExternalNotifications" value="true" />
  </appSettings>
</configuration>

URL Rewriting

Configure IIS URL rewriting for proper redirects:

<system.webServer>
  <rewrite>
    <rules>
      <rule name="External URL Redirect" stopProcessing="true">
        <match url=".*" />
        <conditions>
          <add input="{HTTP_HOST}" pattern="internal-server" />
        </conditions>
        <action type="Redirect" url="https://devops-external.yourdomain.com/{R:0}" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

Authentication Configuration

Azure AD Integration

Configure Azure AD Connect (if using hybrid identity)
Set up group claims for role-based access
Configure conditional access policies

Multi-Factor Authentication

Enable MFA for external access:

Create conditional access policy
Target the Azure DevOps Application Proxy app
Require MFA for external access locations

Service Principal Authentication

For build agents and automation:

Create service principal in Azure AD
Grant appropriate permissions to Azure DevOps
Configure authentication in build pipelines

Performance Optimization

Connector Optimization

Install multiple connectors for high availability
Use dedicated connector groups for different applications
Place connectors close to backend services

Caching Configuration

Configure appropriate caching headers:

Static resources: Long cache duration
Dynamic content: Short or no cache
API responses: Contextual caching

Compression Settings

Enable compression in IIS:

Install Dynamic Content Compression
Configure compression for JSON/XML responses
Set appropriate compression levels

SSL/TLS Configuration

Certificate Management

Use wildcard certificates for multiple subdomains
Set up certificate renewal automation
Configure certificate binding in IIS

Security Headers

Add security headers in IIS:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
      <add name="X-Content-Type-Options" value="nosniff" />
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Git Configuration

Git over HTTPS

Configure Git for external access:

Update remote URLs to use external domain
Configure credential caching
Test clone, push, and pull operations

Large File Support (LFS)

Configure Git LFS for external access:

Update LFS endpoints in .lfsconfig
Test LFS operations through proxy
Configure appropriate timeouts

Build and Release Configuration

Build Agents

Configure build agents for external access:

Update agent pool URLs
Configure firewall exceptions
Test agent connectivity

Release Pipelines

Update release pipeline configurations:

Change service endpoints to external URLs
Update webhook configurations
Test deployment pipelines

Monitoring and Logging

Application Proxy Logs

Enable comprehensive logging:

Configure Application Proxy connector logging
Set up log forwarding to Azure Monitor
Create custom dashboards

Azure DevOps Server Logs

Configure enhanced logging:

Enable detailed IIS logging
Configure Event Log forwarding
Set up performance monitoring

Custom Metrics

Track important metrics:

Connection success rates
Authentication latency
Request/response times
Error rates by operation

Backup and Disaster Recovery

Configuration Backup

Regular backup of:

Application Proxy application settings
Azure DevOps Server configuration
SSL certificates and keys
Custom configuration files

Disaster Recovery Plan

Document recovery procedures
Test failover scenarios
Maintain updated contact information
Validate backup restoration procedures

User Experience Optimization

URL Consistency

Ensure consistent URL usage:

Update all internal links to use external URLs
Configure automatic redirects
Update documentation and training materials

Browser Compatibility

Test and optimize for:

Modern browsers (Chrome, Firefox, Edge)
Mobile browsers
Different screen resolutions
Accessibility requirements

Security Hardening

Network Security

Implement network segmentation
Configure minimal firewall rules
Use private endpoints where possible
Regular security assessments

Application Security

Regular security updates
Vulnerability scanning
Penetration testing
Security incident response plan

Troubleshooting Advanced Issues

Performance Issues

Check connector resource utilization
Monitor network latency
Analyze slow queries
Review caching effectiveness

Authentication Issues

Verify token expiration settings
Check group membership synchronization
Validate conditional access policies
Test service principal authentication

Connectivity Issues

Verify DNS resolution
Check certificate validity
Test from different network locations
Analyze proxy logs

Next Steps

After advanced configuration:

Review Security Considerations
Set up comprehensive monitoring
Conduct user training
Plan regular maintenance windows
Document custom configurations

FilesExpand file tree

configuration-guide.md

Latest commit

History