Deploy Modes
Source System: The system containing the changes to be deployed. Usually a development or staging system.
Target System: The system to which changes are applied. Usually a staging or production system.
Deploy Package: A proprietary binary format containing web files, SQL and CLR modules, table contents, and migration scripts.
Pull Deploy
In Pull mode, an administrator logs in to the target system and initiates the deployment. The target system downloads the deploy package from the source system and installs it locally.
The integrity and authenticity of the deploy package are ensured using a symmetric key shared between the source and target systems.
Pull is the recommended deployment mode and is more secure than Push. An attacker would need to compromise both the target system’s administrator account and the shared symmetric key.
| Server | Inbound traffic | Outbound traffic |
|---|---|---|
| Source server | Allow from target system | Not required |
| Target server | Not required | Allow to source system |
Push Deploy
In Push mode, an administrator logs in to the source system and initiates the deployment. The source system transfers the deploy package to the target system, which then installs it.
The integrity and authenticity of the deploy package are ensured using a symmetric key shared between the source and target systems.
Push is less secure than Pull, because an attacker only needs to compromise either the source system’s administrator account or the shared symmetric key. This risk can be reduced by restricting which network addresses are allowed to connect to the target system.
| Server | Inbound traffic | Outbound traffic |
|---|---|---|
| Source server | Not required | Allow to target system |
| Target server | Allow from source system | Not required |
Manual Deploy
In Manual mode, an administrator logs in to the source system and creates a deploy package, which is then downloaded to their PC. The package is transferred to a location from which it can be uploaded to the target system. An administrator then logs in to the target system and uploads the deploy package.
The integrity of the deploy package is not guaranteed.
Manual deploy mode is generally used for systems that must be air-gapped.
| Server | Inbound traffic | Outbound traffic |
|---|---|---|
| Source server | Not required | Not required |
| Target server | Not required | Not required |
External Deploy
Unlike the other modes, External Deploy uses ZIP files instead of deploy packages.
In External deploy mode, there are two target systems: a shadow target and a real target. An administrator logs in to the source system and initiates the deployment. The source system then negotiates with the shadow target and generates a ZIP file containing files and migration scripts. This ZIP file must be manually applied to both the shadow target and the real target.
The integrity of the ZIP file is not guaranteed.
External Deploy is vulnerable to human error. It requires that the shadow target and the real target are kept in sync.
| Server | Inbound traffic | Outbound traffic |
|---|---|---|
| Source server | Not required | Allow to shadow target |
| Shadow target | Allow from source system | Not required |
| Real target | Not required | Not required |