Port Forwarding on firewall

scott.emberson · 23 November 2017 08:07

Hello,
We are trying to set up the use of port forwarding on our firewall Octopus cannot connect to the tentacle. So we have set up the rule of if { [TCP::local_port] == 14381 } {node IP Address 10933}.
On the octopus tentacle, I have setup two instances one listening on 10933 and the other on 14381 to test both. When I try to connect to it from the Octopus server using 14381 it fails to connect.
Error:
The client was unable to establish the initial connection within 00:01:00
Halibut.HalibutClientException
at Halibut.Transport.DiscoveryClient.Discover(ServiceEndPoint serviceEndpoint)
at Octopus.Server.Web.Api.Actions.MachineDiscovery.TentacleDiscovery.Discover(String host, Int32 port, ProxyDetails proxy)
at Octopus.Server.Web.Api.Actions.DiscoverMachineResponder.Discover(String host, Int32 port, Nullable1 discoverableEndpointType, ProxyDetails proxyDetails) at Octopus.Server.Web.Api.Actions.DiscoverMachineResponder.ExecuteRegistered() at Octopus.Server.Web.Infrastructure.Api.Responder1.Respond(TDescriptor options, NancyContext context)
at System.Dynamic.UpdateDelegates.UpdateAndExecute3[T0,T1,T2,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2)
at Octopus.Server.Web.Infrastructure.OctopusNancyModule.<>c__DisplayClass14_0.<get_Routes>b__1(Object x)
at Nancy.Routing.Route.<>c__DisplayClass4.b__3(Object parameters, CancellationToken context)

–Inner Exception–
The client was unable to establish the initial connection within 00:01:00
Halibut.HalibutClientException
at Halibut.Transport.TcpClientExtensions.ConnectWithTimeout(TcpClient client, String host, Int32 port, TimeSpan timeout)
at Halibut.Transport.TcpClientExtensions.ConnectWithTimeout(TcpClient client, Uri remoteUri, TimeSpan timeout)
at Halibut.Transport.DiscoveryClient.CreateConnectedTcpClient(ServiceEndPoint endPoint)
at Halibut.Transport.DiscoveryClient.Discover(ServiceEndPoint serviceEndpoint)

Thanks
Scott

Lawrence_Wilson · 27 November 2017 14:47

Hi Scott,
Thanks for getting in touch! I’m sorry to hear you are seeing issues with establishing a TCP connection from your Octopus Server to a Tentacle through a firewall.

Please let me know if I have misunderstood your situation, but my understanding is that you would like to achieve Port forwarding, while translating ports using an F5 appliance which is sitting between the Octopus server and Tentacle. In this case the Octopus server thinks the Tentacle is listening on 14381, but it’s actually listening on 10933.

May I please confirm that you are using the Tentacle in listening mode? If this is the case, you would need to ensure that the Tentacle is configured to listen on TCP Port 10933 (Please remember to also keep TCP Port 10933 open in the Windows Firewall, on the Tentacle)

Then, on your F5 firewall, you would then translate any connection coming in on TCP Port 14381 > TCP Port 10933. This allows you to tell the Octopus server to talk to the tentacle on TCP Port 14381. I’m not sure of the specifics in setting up the firewall here but translating the port should be possible.

We have some excellent documentation on troubleshooting listening tentacles which should give you a feel for how the Tentacles communicate.

I hope this has been helpful for you, I would love to hear how this goes.

Kind regards,
Lawrence.

scott.emberson · 7 January 2018 11:34

Sorry for the slow reply, yes we had an issue with our firewall. After some changes we were able to get this working.

Thanks
Scott