I emailed this to support 8 days ago and hadn’t received any response, and am an impatient fellow, so I thought it isnt a bad topic to have in public discussion anyway as other users must also be running into it.
Basically as documented here and here, we are having issues with Octopus Server and Tentacles on servers without internet connection, attempting to make connections to internet resources and causing the tentacle to lockup/restart itself, hindering the discovery process.
TCPView shows the following communication attempts from Tentacle.exe (and more similar ones from svchost.exe)
Tentacle.exe:6776 TCP server.company.com:56239 a23-209-183-17.deploy.static.akamaitechnologies.com:http SYN_SENT Tentacle.exe:6776 TCP server.company.com:56241 a23-209-183-19.deploy.static.akamaitechnologies.com:http SYN_SENT Tentacle.exe:10728 TCP server.company.com:56249 ocsp.comodoca.com:http SYN_SENT Tentacle.exe:10728 TCP server.company.com:56251 crl.comodoca.com:http SYN_SENT
The octopus documentation (and the above forum post) mentions disabling “Check publishers certificate revocation” in Internet Explorer advanced security options. I just wanted to mention that this is a per user setting so unless you run your tentacle under a service account and logon with that service account to set the IE setting, doing it in IE doesnt realy do much.
We run our tentacles under LocalSystem account (default installation setup) but luckily you CAN set this same IE option via the registry, using the special SID of the LocalSystem account.
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Original Value (Enables CRL Checking): "State"=dword:00023c00 New Value (Disables CRL Checking): "State"=dword:00023e00
I found this information here: https://social.technet.microsoft.com/Forums/exchange/en-US/1a89fff4-da6e-4055-be04-2e52af3ee76e/disable-crl-check-for-exchange-servers-without-internet-access?forum=exchange2010
So after doing this, the CRL and OCSP attempts no longer occur, so this has indeed removed those “check for publisher certificate revocation”. It would be a good idea to update the doco etc with this information about how to set that reg key for LocalSystem account
Unfortunately though, the attempts to hit those 2 akamai URL are still occuring and this is still causing the tentacle problems where it restarts itself and thus affects the communication between server and tentacle (it seems to mostly impact the discovery/add tentacle process, once they are connected they seem to stay connected).
Please can you help identify what is this attempt to communicate to these 2 akamai URLs and how can we remove it? I guess it might be either dotnet framework or some other components attempting to do auto updates or some other type of phone home. There really needs to be a way to stop this from happening, otherwise the tentacle.exe times out trying to hit it, and restarts itself, meanwhile the “Add new Tentacle” discovery process gets timeouts or connection refused errors.
Tentacle.exe:12748 TCP server.company.com:59677 a23-209-183-17.deploy.static.akamaitechnologies.com:http SYN_SENT Tentacle.exe:1692 TCP server.company.com:59685 a23-209-183-19.deploy.static.akamaitechnologies.com:http SYN_SENT
If Support or any other users can confirm they also see this, and more so can indicate a solution, it would be awesome.