Skip to content
  • There are no suggestions because the search field is empty.

Configuration Options for a Local Azure DevOps Server

Learn how to securely integrate your Azure DevOps Server (on-premises) instance with Unito for seamless 2-way sync.

What does this article cover?

Azure DevOps Server is Microsoft’s self-hosted version of Azure DevOps, allowing organizations to manage their development lifecycle, work items, repositories, and pipelines on infrastructure they control.

With Unito, you can connect your on-premises Azure DevOps Server instance to other tools for powerful, two-way data synchronization.

This guide walks through optional configuration steps to securely expose your Azure DevOps Server instance so Unito can connect to it.

Azure DevOps Server support is currently only available on request. If you need to connect your on-premise Azure DevOps instance to other tools with Unito, reach out to our team.

Prerequisites before configuring

  • Confirm Accessibility: Ensure your Azure DvOps Server instance is accessible from the internet. If your server is behind a firewall or VPN, you will need to configure your network so Unito’s servers can reach your Azure DevOps REST APIs. 
  • API authentication via PAT: Unito connects to Azure DevOps Server using the Azure DevOps REST API. You will need to generate Personal Access Token (PAT) with read and write permissions to the collections you would like to sync.

These credentials allow Unito to read and write data such as:

  • Work items
  • Projects
  • Fields and custom fields

3 methods for configuring your Azure DevOps Server connection to Unito

There are three main approaches for securely exposing your Azure DevOps Server instance to Unito.

Open firewall ports

Configure your firewall or router to open a port and forward traffic to your internal Azure DevOps Server instance. Any port can work, but when configuring the connection in Unito, ensure the same port is included in your server URL.

  • HTTPS: Your Azure DevOps Server must be accessible via HTTPS, not HTTP.
  • IP restrictions: You can also specify which IP addresses can access your open port for added security. Limit access to Unito's fixed IP addresses and your internal IP addresses.

Benefits: This approach has the easiest setup for organizations with simple network infrastructures (e.g. with a single router). Also, administration is simple once the service is provisioned.

Drawbacks: Opening ports in larger organizations can be a complex process involving multiple departments. Since this approach works at the network level (layer 3), there's no control over traffic contents (e.g. which API endpoints are called).


Reverse proxy or API gateway

If you prefer not to directly expose your Azure DevOps Server instance to the internet, you can use a reverse proxy or API gateway as an intermediary. This acts as a secure "front door" for your Azure DevOps instance, handling incoming requests from Unito and forwarding them to your internal server.

Common examples of reverse proxies and API gateways include Strong Loop, IBM, F5, Oracle, and NGINX.

Security Enhancement: You can configure the reverse proxy to only allow access from Unito's IP addresses, add an extra layer of security with our SSL client certificates, or require custom HTTP headers.

For these advanced configurations, we suggest you contact us, and we'll get you all set up in no time.

Benefits:

  • Enhanced Security: Your Azure DevOps  instance remains hidden behind the proxy, reducing its exposure to potential threats.
  • Flexibility: You gain granular control over how Unito communicates with your infrastructure.

Drawbacks:

  • Additional Complexity: Setting up and managing a reverse proxy introduces a new component to your infrastructure, which requires additional configuration and maintenance.

On-premise agent or tunneling

An on-premise agent establishes a secure tunnel between your Azure DevOps Server instance and Unito's infrastructure.

Recommendation:  We suggest using ngrok as your on-premise agent. It's a lightweight tool that supports end-to-end encryption and IP whitelisting for added security.

This lightweight tool creates a secure outbound tunnel from your network to the internet. Instead of exposing your Azure DevOps Server directly:

  • The tunneling agent runs inside your network
  • It establishes an encrypted outbound connection
  • Unito communicates through that tunnel

Benefits:

  • No firewall changes required
  • Azure DevOps Server remains isolated from the public internet
  • Encrypted communication

Considerations:

  • Requires installation of a third-party agent
  • Consumes minimal system resources

Troubleshooting tips for Azure DevOps Server installations

If you encounter problems connecting your Azure DevOps Server instance to Unito, check the following.

Verify HTTPS

Make sure your server is secure over HTTPS, and not just HTTP.

  1. Confirm that your Azure DevOps Server is accessible via HTTPS (not HTTP).
  2. Open your Azure DevOps instance in a browser to check if the address bar indicates a secure connection.
  3. If not, contact your system administrator to enable HTTPS.
  4. For more information, see Unito's HTTPS requirements and setup tips

Test internet accessibility

Make sure your server is accessible via public Internet:

  • Use an online website testing tool like Pingdom Tools to check if your server is accessible from outside your network.
  • If not, consult your network  administrator to make the server publicly accessible.

Validate SSL/TLS configuration

Make sure your server SSL/TLS certificate is correctly configured:

  1. Use an online SSL diagnostics tool (like SSL Labs) to verify your server's SSL/TLS certificate.
  2. If issues are found, provide the diagnostic results to your administrator.
  3. You can also refer to our guide on how to enable SSL/TLS client certificates.
  4. If the diagnostics report a problem (often a missing "intermediate certificate"), contact your server administrator with the diagnostics results.

Other on-premise tips

We've created additional guides to help make sure your on-premise installation works flawlessly with Unito.

How to enable SSL/TLS client certificates

Check out our full guide to enabling SSL/TLS client certificates (Mutual TLS/mTLS).

What IP Addresses Does Unito Use?

Here are our fixed IP addresses:

54.82.172.192

54.82.178.193

We also maintain the following fully qualified domain names (FQDN) to point to our IP addresses.

a.infra-ip.unito.io

b.infra-ip.unito.io

Reach out to us if all else fails

If you've tried these troubleshooting steps and are still experiencing difficulties, our support team is ready to assist you. Please gather the following information before you contact Unito for support:

  • Azure DevOps Server version
  • Network configuration details (firewalls, proxies, gateways)
  • Authentication method used (PAT, etc.)
  • Any error messages received during connection