Tentacle in PCI Zone / VPN Connection


#1

I read some threads (13-2015) in the old forum about some using VPN to deploy to tentacle servers outside the network. Has the documentation on getting this to work been published somewhere? We have our UAT and PROD on different networks. The PROD is in the PCI zone. Our security guy doesn’t like to leave ports open. What is the guidance to use Octopus Deploy in PCI zone? I did read the one page article here: https://octopus.com/docs/administration/security/pci-compliance-and-octopus-deploy
in the documentation but was looking for a white paper or specific set of steps to follow.


(Michael Noonan) #2

Hi,

Thanks for getting in touch! We don’t have a step-by-step guide for this, unfortunately we’ve found that every PCI compliant customer has different approaches to network security, and a one-size-fits-all approach wasn’t helpful.

Instead we’ve focused on providing the most commonly used features for your own interpretation and approach to becoming and staying PCI compliant.

  1. Yes, you can use a VPN between your network security zones. A VPN is a transparent network tunnel between two zones, and you can happily use our Tentacle agent on Windows, or SSH connections for Linux across through a VPN tunnel in the same way you can use them on a local network.
  2. You can consider using a networking proxy for Tentacle or SSH, where the proxy controls and monitors access from your Octopus Server to your workers and deployment targets. Learn about proxy support
  3. If you are using our Tentacle agent on Windows, you can configure it in listening mode (Octopus Server -> Tentacle) or polling mode (Tentacle -> Octopus Server) which changes the direction of your firewall configuration. Learn about Tentacle communication modes

Your security and networking person should be able to help you make these decisions based on how you are maintaining your network security for PCI compliance.

Hope that helps!
Mike


(Michael Noonan) #3

Hi,

I’ve also updated our documentation with some more of this detail in a new section, in case it helps!

Mike


#4

Thanks Michael it is most appreciated :slight_smile: