It is common to want to lock down servers. Especially production servers or servers in a DMZ. But the Octopus Server and Tentacle need to communicate. Which ports are required?
It is important to point out there are two communication modes for tentacles, polling, and listening. If you are unfamiliar with those, I would encourage you to read this: https://octopus.com/docs/infrastructure/deployment-targets/windows-targets/tentacle-communication.
With listening tentacles, you would need to open up inbound port 10933.
For polling tentacles, you will need to open up outbound port 10943.
However, to register the tentacle with Octopus, you will also need port 80 or 443 (depending on if you have https configured on your Octopus Server). That is required for polling tentacles. It is optional for listening tentacles as you can register the tentacle from the server itself.