Octopus and Firewall opening


(Matija Kovacek) #1

Hello,

We are trying to set up communication between Octopus deploy server and our servers which are in DMZ. So we need to open some firewall request (IP address and ports).

Currently, we have opened TCP port 10933 and octopus IP address as a source IP address, and IP address of our servers as destinations IP’s.

But when I try to discover new deployment target I get an error “The client was unable to establish the initial connection within 00:01:00 The client was unable to establish the initial connection within 00:01:00”.

Do you know if we should open some other ports? Also our server IP as source and octopus as a destination? Do they communicate in both way through 10933 port?

Also, we have a problem with the installation of tentacle on our servers. We get an error “The computer must be trusted for delegation and the current user account must be configured to allow delegation". Any idea for this?


(Lawrence Wilson) #3

Hi,
Thanks for getting in touch! I’m sorry to hear you are seeing a probem registering new Tentacles against your Octopus Server. We have some documentation on Troubleshooting Tentacles communication here that is often very helpful in getting to the bottom of these issues.
Based on the TCP Port (10933), it sounds like you are using Listening Tentacles as opposed to Polling Tentacles. In this scenario, the Octopus Server will make out-bound requests to each of your tentacles on the port 10933 (by default).
Your existing rules sound correct where you have already set the rule:

Source IP: <Octpous Server host>
Destination IP: <Tentacles IP Range>
Source Port: * (any)
Destination Port: 10933
Action: Allow

I believe this is all that is required here and you should not need to open any additional ports. You may need to set the firewall on the individual servers (for example the Windows Firewall)

The communication between your Octopus Server would appear to be coming from a random TCP Port, but the destination port would be 10933.

The best way to troubleshoot would be to login to the Octopus Server and navigate to one of your Tentacle IP addresses for example: https://10.0.0.1:10933 (if that was your Tentacle’s IP address) you should see the page stating that your tentacle is healthy.

Similarly, you should be able to login to the Tentacle server directly and navigate to: https://localhost:10933, if you don’t see the page this may not be a firewall issue and your Octopus Tentacle may not be started in Windows.

The error you’re seeing when installing the Tentacle looks like it might be related to permissions assigned to the account running Octopus Tentacle. You could try using the Local System account to start the service as a way to troubleshoot if this fixes the problem. However, we have some documentation on Running Tentacle under a Specific Account so you can lock down your environment for better security.

I hope this has been helpful!

Kind regards,
Lawrence.


(Matija Kovacek) #4

Hi,

thanks for answer. I have checked right know and seems that firewall opening is done correctly.

Regarding user trust delegation problem. We have situation that octopus server is in domain A, and our servers where are tentacles are in domain B. Active directory team said us that there is enabled external trust but in one way. So users from domain A can authenticate in domain B, but users in domain B can’t authenticate in domain A. (user from domain B is trying to install tentacle)

So user from domain B is installing tentacle on servers in domain B, which should communicate with octopus server which is in domain A.

Funny thing is that I can login with both type of user (domain A, domain B) in octopus portal.

So at the moment no idea what to do…

One more question, when I try to add new deployment target, should deployment target be reachable without installed tentacle? Or we need to have tentacle installed first?


(Matija Kovacek) #5

Tentacle installation problem is solved by changing in registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

i.e. Right Click, create new Dword (32bit) Value, name it ‘ProtectionPolicy’ then edit it to the value of 1. Solves the issue immediately, not restart required.

As described here https://www.reddit.com/r/windows/comments/7i3opn/solved_windows_10_vpn_the_requested_operation/


(Lawrence Wilson) #6

Hi,
Thanks for keeping in touch and letting us know how you solved this one! Your response is very helpful.

Kind regards,
Lawrence.