Windows Tentacle

When you deploy software to Windows servers, you need to install Tentacle, a lightweight agent service, on your Windows servers so they can communicate with the Octopus Server.

When installed, Tentacles:

  • Run as a Windows service called OctopusDeploy Tentacle.
  • Wait for tasks from Octopus (deploy a package, run a script, etc).
  • Report the progress and results back to the Octopus Server.

Before you install Tentacle, review the software and hardware requirements for:

Communication mode

Tentacles can be configured to communicate in Listening mode or Polling mode. Listening mode is the recommended communication style. Learn about the differences between the two modes and when you might choose to use Polling mode instead of Listening mode on the Tentacle communication page.

Download the Tentacle installer

Octopus Tentacle is available to download for both Windows and Linux (GZip, APT, and RPM) from the downloads page.

Before you can configure your Windows servers as Tentacles, you need to install Tentacle Manager on the machines that you plan to use as Tentacles.

Tentacle Manager is the Windows application that configures your Tentacle. Once installed, you can access it from your start menu/start screen. Tentacle Manager can configure Tentacles to use a proxy, delete the Tentacle, and show diagnostic information about the Tentacle.

  1. Start the Tentacle installer, accept the license agreement, and follow the prompts.
  2. When the Octopus Deploy Tentacle Setup Wizard has completed, click Finish to exit the wizard.
  3. When the Tentacle Manager launches, click GET STARTED.
  1. On the communication style screen, select Listening Tentacle and click Next.
  2. In the Octopus Web Portal, navigate to the Infrastructure tab, select Deployment Targets and click ADD DEPLOYMENT TARGET ➜ WINDOWS, and select Listening Tentacle.
  3. Copy the Thumbprint (the long alphanumerical string).
  4. Back on the Tentacle server, accept the default listening port 10933 and paste the Thumbprint into the Octopus Thumbprint field and click Next.
  5. Click INSTALL, and after the installation has finished click Finish.
  6. Back in the Octopus Web Portal, enter the hostname or IP address of the machine the Tentacle is installed on, i.e., example.com or 10.0.1.23, and click NEXT.
  7. Add a display name for the deployment target (the server where you just installed the Listening Tentacle).
  1. Select which environments the deployment target will be assigned to.
  2. Choose or create at least one target tag for the deployment target and click Save.

Your deployment target is configured, next you need to preform a health check and update Calamari.

If the Tentacle isn’t connecting, try the steps on the troubleshooting page.

Update your Tentacle firewall

To allow your Octopus Server to connect to the Tentacle, you’ll need to allow access to TCP port 10933 on the Tentacle (or the port you selected during the installation wizard).

Intermediary firewalls

Don’t forget to allow access in any intermediary firewalls between the Octopus Server and your Tentacle (not just the Windows Firewall). For example, if your Tentacle server is hosted in Amazon EC2, you’ll also need to modify the AWS security group firewall to tell EC2 to allow the traffic. Similarly, if your Tentacle server is hosted in Microsoft Azure, you’ll also need to add an Endpoint to tell Azure to allow the traffic.

Configure a Polling Tentacle

Listening Tentacles are recommended, but there might be situations where you need to configure a Polling Tentacle. You can learn about the difference between Listening Tentacles and Polling Tentacles on the Tentacle communication page.

Before you can configure your Windows servers as Tentacles, you need to install Tentacle Manager on the machines that you plan to use as Tentacles.

Tentacle Manager is the Windows application that configures your Tentacle. Once installed, you can access it from your start menu/start screen. Tentacle Manager can configure Tentacles to use a proxy, delete the Tentacle, and show diagnostic information about the Tentacle.

  1. Start the Tentacle installer, accept the license agreement, and follow the prompts.
  2. When the Octopus Deploy Tentacle Setup Wizard has completed, click Finish to exit the wizard.
  3. When the Tentacle Manager launches, click GET STARTED.
  1. On the communication style screen, select Polling Tentacle and click Next.

  2. If you are using a proxy see Proxy Support, or click Next.

  3. Add the Octopus credentials the Tentacle will use to connect to the Octopus Server: a. The Octopus URL: the hostname or IP address. b. Select the authentication mode and enter the details: i. The username and password you use to log into Octopus, or: i. Your Octopus API key, see How to create an API key.

    The Octopus credentials specified here are only used once to configure the Tentacle. All future communication is performed over a secure TLS connection using certificates.

  4. Click Verify credentials, and then next.

  5. Give the machine a meaningful name and select which environments the deployment target will be assigned to.

  6. Choose or create at least one target tag for the deployment target.

  7. Leave Tenants and Tenant tags blank unless you are already using Octopus to deploy applications to multiple end users. If you are using Octopus for multiple tenants, enter the Tenants and Tenant Tags. Learn more about Multi-tenant Deployments.

  8. Click Install, and when the script has finished, click Finish.

Your deployment target is configured, next you need to preform a health check and update Calamari.

If the Tentacle isn’t connecting, try the steps on the troubleshooting page.

Update your Octopus Server firewall

To allow Tentacle to connect to your Octopus Server, you’ll need to allow access to port 10943 on the Octopus Server (or the port you selected during the installation wizard - port 10943 is just the default). You will also need to allow Tentacle to access the HTTP Octopus Web Portal (typically port 80 or 443 - these bindings are selected when you install the Octopus Server).

If your network rules only allow port 80 and 443 to the Octopus Server, you can either:

  • Change the server bindings to either HTTP or HTTPS and use the remaining port for polling Tentacle connections.
    • The listening port Octopus Server uses can be changed from the command line using the --commsListenPort option. Even if you do use port 80 for Polling Tentacles, the communication is still secure.
  • Use a reverse proxy to redirect incoming connections to the Tentacle listening port on Octopus Server by differentiating the connection based on Hostname (TLS SNI) or IP Address

Note that the port (or address) used to poll Octopus for jobs is different from the port (or address) used by your team to access the Octopus Deploy web interface; this is on purpose, and it means you can use different firewall conditions to allow Tentacles to access the Octopus Server by IP address.

Using polling mode, you won’t typically need to make any firewall changes on the Tentacle machine.

Intermediary firewalls

Don’t forget to allow access not just in Windows Firewall, but also any intermediary firewalls between the Tentacle and your Octopus Server. For example, if your Octopus Server is hosted in Amazon EC2, you’ll also need to modify the AWS security group firewall to tell EC2 to allow the traffic. Similarly if your Octopus Server is hosted in Microsoft Azure you’ll also need to add an Endpoint to tell Azure to allow the traffic.

Windows Server 2008 Limited Support

From Octopus Server release 2025.1 there will be limited support for executing workloads on targets or workers running Windows Server 2008. As the version of Calamari shipped with later version of Octopus Server will no longer be compatible with Windows Server 2008, the capability has been made available to pin the version of Calamari used on the target itself.

To allow this:

  1. Download the most recent version of Calamari (verify with sha256 or md5 checksum). This is version of Calamari is unlikely to be updated unless there are significant vulnerabilities discovered so it may be missing new capabilities that are released later than 2025.1.

  2. Extract the zip contents to a location on the Tentacle.

  3. Set an environment variable CalamariDirectoryPath with a value of the extracted location. This variable should be provided in a context that will be available to the Tentacle process.

  4. Restart the Tentacle process to ensure that it has access to this new variable.

The next time a deployment is run, Octopus Server will ignore the embedded Calamari version and instead use the one available on the Tentacle. Warnings will continue to be logged to provide a clear signal that this limited support is considered a temporary stop-gap, as we are likely to drop support entirely for this workaround from 2026.1.

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Tuesday, April 30, 2024